From 8e9c789ae188f8b73cc6f776a3ead21f0dfd4ca6 Mon Sep 17 00:00:00 2001 From: Alexander Barton Date: Mon, 2 Jan 2023 22:32:16 +0100 Subject: [PATCH] Better validate MODE +k & +l parameters and return errors Implement new numeric ERR_INVALIDMODEPARAM_MSG(696) and: - Reject channel keys with spaces and return ERR_INVALIDMODEPARAM_MSG; This was possible until now and resulted in garbled IRC commands later. - Reject empty channel keys and return ERR_INVALIDMODEPARAM_MSG; This was possible until now and resulted in garbled IRC commands later. - Return ERR_INVALIDMODEPARAM_MSG when user limit is out of bounds; This was silently ignored until now. Closes #290. Thanks Val Lorentz for reporting it! --- src/ngircd/irc-mode.c | 36 +++++++++++++++++++++++++++++------- src/ngircd/messages.h | 4 +++- 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/src/ngircd/irc-mode.c b/src/ngircd/irc-mode.c index 4a26ef02..0ea046e5 100644 --- a/src/ngircd/irc-mode.c +++ b/src/ngircd/irc-mode.c @@ -620,6 +620,18 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel) Client_ID(Origin), Req->command); goto chan_exit; } + if (!Req->argv[arg_arg][0] || strchr(Req->argv[arg_arg], ' ')) { + if (is_machine) + Log(LOG_ERR, + "Got invalid key on MODE +k for \"%s\" from \"%s\"! Ignored.", + Channel_Name(Channel), Client_ID(Origin)); + else + connected = IRC_WriteErrClient(Origin, + ERR_INVALIDMODEPARAM_MSG, + Client_ID(Origin), + Channel_Name(Channel), 'k'); + goto chan_exit; + } if (is_oper || is_machine || is_owner || is_admin || is_op || is_halfop) { Channel_ModeDel(Channel, 'k'); @@ -660,15 +672,25 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel) Client_ID(Origin), Req->command); goto chan_exit; } + l = atol(Req->argv[arg_arg]); + if (l <= 0 || l >= 0xFFFF) { + if (is_machine) + Log(LOG_ERR, + "Got MODE +l with invalid limit for \"%s\" from \"%s\"! Ignored.", + Channel_Name(Channel), Client_ID(Origin)); + else + connected = IRC_WriteErrClient(Origin, + ERR_INVALIDMODEPARAM_MSG, + Client_ID(Origin), + Channel_Name(Channel), 'l'); + goto chan_exit; + } if (is_oper || is_machine || is_owner || is_admin || is_op || is_halfop) { - l = atol(Req->argv[arg_arg]); - if (l > 0 && l < 0xFFFF) { - Channel_ModeDel(Channel, 'l'); - Channel_SetMaxUsers(Channel, l); - snprintf(argadd, sizeof(argadd), "%ld", l); - x[0] = *mode_ptr; - } + Channel_ModeDel(Channel, 'l'); + Channel_SetMaxUsers(Channel, l); + snprintf(argadd, sizeof(argadd), "%ld", l); + x[0] = *mode_ptr; } else { connected = IRC_WriteErrClient(Origin, ERR_CHANOPRIVSNEEDED_MSG, diff --git a/src/ngircd/messages.h b/src/ngircd/messages.h index 76a04ff9..1bbfa699 100644 --- a/src/ngircd/messages.h +++ b/src/ngircd/messages.h @@ -1,6 +1,6 @@ /* * ngIRCd -- The Next Generation IRC Daemon - * Copyright (c)2001-2020 Alexander Barton (alex@barton.de) and Contributors. + * Copyright (c)2001-2023 Alexander Barton (alex@barton.de) and Contributors. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -162,6 +162,8 @@ #define ERR_USERNOTONSERV_MSG "504 %s %s :User is not on this server" #define ERR_NOINVITE_MSG "518 %s :Cannot invite to %s (+V)" +#define ERR_INVALIDMODEPARAM_MSG "696 %s %s %c * :Invalid mode parameter" + #ifdef ZLIB # define RPL_STATSLINKINFOZIP_MSG "211 %s %s %d %ld %ld/%ld %ld %ld/%ld :%ld" #endif -- 2.39.2