| commit | be41f91d00a106aba0c9f5d1dd64b67530981ce2 | |
| author | rofl0r <retnyg@gmx.net> | |
| Sat, 21 Jan 2017 01:22:14 +0000 (21 01:22 +0000) | ||
| committer | rofl0r <retnyg@gmx.net> | |
| Sat, 21 Jan 2017 01:22:14 +0000 (21 01:22 +0000) | ||
| tree | 977b9e3744596874348daf1db14184ce0607da80 | treesnapshot (tar.gz zip) |
| parent | d5b4c86b243b6fe4eec4d64c4899cb97bd5b66e7 | commitdiff |
fix 2 potential vulns with rogue IRC servers
on a malicious or mitm'd server, the adversary could try to send
a string without space in it and cause an out-of-bound read.
also usage of atoi() is not safe with untrusted input[0].
we counter the issues by using our custom atou() function,
and by 1) initializing our buffer once entirely, so there
can be no unitialized memory access, and 2) securing the buffer
tail with a canary containing a space on every iteration before
the buffer is passed on to read_cb(), which then loops til it
encounters a space. this approach is safe and inflicts only a
tiny overhead, compared to checking the length on every byte
in the while(!isspace()) loop.
both issues were reported by aleksey cherepanov.
[0] http://www.codepolice.org/c/atoi.html
on a malicious or mitm'd server, the adversary could try to send
a string without space in it and cause an out-of-bound read.
also usage of atoi() is not safe with untrusted input[0].
we counter the issues by using our custom atou() function,
and by 1) initializing our buffer once entirely, so there
can be no unitialized memory access, and 2) securing the buffer
tail with a canary containing a space on every iteration before
the buffer is passed on to read_cb(), which then loops til it
encounters a space. this approach is safe and inflicts only a
tiny overhead, compared to checking the length on every byte
in the while(!isspace()) loop.
both issues were reported by aleksey cherepanov.
[0] http://www.codepolice.org/c/atoi.html
| jsbot.c | diffblobblamehistory |