head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.46
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.44
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.42
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.40
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2009Q4:1.2.0.38
	pkgsrc-2009Q4-base:1.2
	pkgsrc-2008Q4:1.2.0.36
	pkgsrc-2008Q4-base:1.2
	pkgsrc-2008Q3:1.2.0.34
	pkgsrc-2008Q3-base:1.2
	cube-native-xorg:1.2.0.32
	cube-native-xorg-base:1.2
	pkgsrc-2008Q2:1.2.0.30
	pkgsrc-2008Q2-base:1.2
	pkgsrc-2008Q1:1.2.0.28
	pkgsrc-2008Q1-base:1.2
	pkgsrc-2007Q4:1.2.0.26
	pkgsrc-2007Q4-base:1.2
	pkgsrc-2007Q3:1.2.0.24
	pkgsrc-2007Q3-base:1.2
	pkgsrc-2007Q2:1.2.0.22
	pkgsrc-2007Q2-base:1.2
	pkgsrc-2007Q1:1.2.0.20
	pkgsrc-2007Q1-base:1.2
	pkgsrc-2006Q4:1.2.0.18
	pkgsrc-2006Q4-base:1.2
	pkgsrc-2006Q3:1.2.0.16
	pkgsrc-2006Q3-base:1.2
	pkgsrc-2006Q2:1.2.0.14
	pkgsrc-2006Q2-base:1.2
	pkgsrc-2006Q1:1.2.0.12
	pkgsrc-2006Q1-base:1.2
	pkgsrc-2005Q4:1.2.0.10
	pkgsrc-2005Q4-base:1.2
	pkgsrc-2005Q3:1.2.0.8
	pkgsrc-2005Q3-base:1.2
	pkgsrc-2005Q2:1.2.0.6
	pkgsrc-2005Q2-base:1.2
	pkgsrc-2005Q1:1.2.0.4
	pkgsrc-2005Q1-base:1.2
	pkgsrc-2004Q4:1.2.0.2
	pkgsrc-2004Q4-base:1.2
	pkgsrc-2004Q3:1.1.0.10
	pkgsrc-2004Q3-base:1.1
	pkgsrc-2004Q2:1.1.0.8
	pkgsrc-2004Q2-base:1.1
	pkgsrc-2004Q1:1.1.0.6
	pkgsrc-2004Q1-base:1.1
	pkgsrc-2003Q4:1.1.0.4
	pkgsrc-2003Q4-base:1.1
	netbsd-1-6-1:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2004.11.26.11.39.05;	author adam;	state dead;
branches;
next	1.1;

1.1
date	2003.03.29.21.20.30;	author salo;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2003.03.29.21.20.30;	author grant;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2003.04.06.20.58.25;	author grant;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Changes 1.1:
* Fixed bug with using [$8] in expressions (Reported by BlackJac)
  (Patch from |Rain|) (BugID: 64) (powuh)
* Fixed bug in /set show_end_of_msgs.  When OFF prevented hooking
  of some end_of_msg numerics.  (Reported by BlackJac)
  (Patch from |Rain|) (BugID: 51) (powuh)
* Fixed incorrect ordering of operations in screen.c which
  caused an off-by-one access at the end ofthe buffer.
  (Patch from |Rain|) (BugID: 48) (powuh)
* Fixed ischanvoice() to be compatiable with epic.  Maintained
  reverse functionality as not to break existing scripts.
  (Patch from |Rain|) (BugID: 20) (powuh)
* Fixed segfault with convert_output_format not honoring
  MAX_RECURSE. (Patch from |Rain|) (powuh)
* Fixed possble rouge server exploit:
  If a rogue server sends us a ctcp request from an extremely large
  nickname (over about 512 bytes), we may attempt to alloca() a
  negative value, which under gcc will return a invalid pointer the
  contents of which will then be overwritten. (Reported by O_6)
  (Patch from |Rain|) (powuh)
* Fixed segfault with channel mode parsing. (Patch from O_6) (powuh)
* Removed auto_resume script, it's not needed any more (caf).
* Fixed string copying snafu in gtkbitchx.c (reported by Huey) (caf).
* Added STATUS_USER20 to STATUS_USER39 (patch from BlackJac) (caf).
@
text
@$NetBSD: patch-ai,v 1.1 2003/03/29 21:20:30 salo Exp $

Fixes potential remote buffer overflows.  See the following url for more
details:  http://securityfocus.com/archive/1/315057

Patch by caf@@guarana.org.

--- source/misc.c.orig	2002-03-24 10:31:07.000000000 +0100
+++ source/misc.c	2003-03-29 21:44:37.000000000 +0100
@@@@ -3110,42 +3110,47 @@@@
 	static char result[IRCD_BUFFER_SIZE/4 + 1];
 	char temphost[BIG_BUFFER_SIZE + 1];
 	char *host;
+	char *atsign;
 
 	if (!hostname)
 		return NULL;
-	host = temphost;
-	*result = 0;
-	memset(result, 0, sizeof(result));
-	memset(temphost, 0, sizeof(temphost));
-	if (strchr(hostname, '@@'))
-	{
-		if (*hostname == '~')
-			hostname++;
-		strcpy(result, hostname);
-		*strchr(result, '@@') = '\0';
-		if (strlen(result) > 9)
-		{
+
+	atsign = strchr(hostname, '@@');
+	if (atsign) {
+		if (*hostname == '~') {
+			strcpy(result, "~*@@");
+		} else {
+			size_t ident_len = atsign - hostname;
+			
+			if (ident_len <= 9) {
+				/* copy ident@@ */
+				strmcpy(result, hostname, ident_len + 1);
+			} else {
+				strmcpy(result, hostname, 8);
 			result[8] = '*';
-			result[9] = '\0';
+				result[9] = '@@';
+				result[10] = '\0';
 		}
-		strcat(result, "@@");
-		if (!(hostname = strchr(hostname, '@@')))
-			return NULL;
-		hostname++;
 	}
-	strcpy(host, hostname);
+		hostname = atsign + 1;
+	} else {
+		*result = 0;
+	}
 
-	if (*host && isdigit(*(host + strlen(host) - 1)))
+	strlcpy(temphost, hostname, sizeof temphost);
+	host = temphost;
+
+	if (*host && isdigit((unsigned char)*(host + strlen(host) - 1)))
 	{
 		/* Thanks icebreak for this small patch which fixes this function */
                 int i;
                 char *tmp;
-                char count=0;
+                char count = 0;
 
                 tmp = host;
-                while((tmp-host)<strlen(host))
+                while((tmp - host) < strlen(host))
                 {
-	                if((tmp=strchr(tmp,'.'))==NULL) 
+	                if((tmp = strchr(tmp,'.')) == NULL) 
 				break;
         	        count++;
                 	tmp++;
@@@@ -3154,8 +3159,8 @@@@
                 for (i = 0; i < count; i++)
                         tmp = strchr(tmp, '.') + 1;
                 *tmp = '\0';
-                strcat(result, host);
-                strcat(result, "*");
+                strlcat(result, host, sizeof result);
+                strlcat(result, "*", sizeof result);
 	}
 	else
 	{
@@@@ -3177,17 +3182,18 @@@@
 			else
 				return (char *) NULL;
 		}
+		
+		/* We don't need strlcat for these first two, because
+		 * at this point the maximum length of the string in
+		 * result is 10 */
 		strcat(result, "*");
 		if (my_stricmp(host, temphost))
 			strcat(result, ".");
-		strcat(result, host);
+		strlcat(result, host, sizeof result);
 	}
 	return result;
 }
 
-
-
-
 struct _sock_manager
 {
 	int init;
@


1.1
log
@Bump PKGREVISION: fix several potential buffer overflows found by Timo
Sirainen <tss at iki dot fi>, see the following url for more details:

 http://securityfocus.com/archive/1/315057

Patch from bugtraq by <caf at guarana dor org>.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-ai was added on branch netbsd-1-6-1 on 2003-04-06 20:58:25 +0000
@
text
@d1 113
@


1.1.2.2
log
@Add new file (requested by salo in ticket #1239):
Bump PKGREVISION: fix several potential buffer overflows found by Timo
Sirainen <tss at iki dot fi>
@
text
@a0 113
$NetBSD: patch-ai,v 1.1.2.1 2003/04/06 20:58:25 grant Exp $

Fixes potential remote buffer overflows.  See the following url for more
details:  http://securityfocus.com/archive/1/315057

Patch by caf@@guarana.org.

--- source/misc.c.orig	2002-03-24 10:31:07.000000000 +0100
+++ source/misc.c	2003-03-29 21:44:37.000000000 +0100
@@@@ -3110,42 +3110,47 @@@@
 	static char result[IRCD_BUFFER_SIZE/4 + 1];
 	char temphost[BIG_BUFFER_SIZE + 1];
 	char *host;
+	char *atsign;
 
 	if (!hostname)
 		return NULL;
-	host = temphost;
-	*result = 0;
-	memset(result, 0, sizeof(result));
-	memset(temphost, 0, sizeof(temphost));
-	if (strchr(hostname, '@@'))
-	{
-		if (*hostname == '~')
-			hostname++;
-		strcpy(result, hostname);
-		*strchr(result, '@@') = '\0';
-		if (strlen(result) > 9)
-		{
+
+	atsign = strchr(hostname, '@@');
+	if (atsign) {
+		if (*hostname == '~') {
+			strcpy(result, "~*@@");
+		} else {
+			size_t ident_len = atsign - hostname;
+			
+			if (ident_len <= 9) {
+				/* copy ident@@ */
+				strmcpy(result, hostname, ident_len + 1);
+			} else {
+				strmcpy(result, hostname, 8);
 			result[8] = '*';
-			result[9] = '\0';
+				result[9] = '@@';
+				result[10] = '\0';
 		}
-		strcat(result, "@@");
-		if (!(hostname = strchr(hostname, '@@')))
-			return NULL;
-		hostname++;
 	}
-	strcpy(host, hostname);
+		hostname = atsign + 1;
+	} else {
+		*result = 0;
+	}
 
-	if (*host && isdigit(*(host + strlen(host) - 1)))
+	strlcpy(temphost, hostname, sizeof temphost);
+	host = temphost;
+
+	if (*host && isdigit((unsigned char)*(host + strlen(host) - 1)))
 	{
 		/* Thanks icebreak for this small patch which fixes this function */
                 int i;
                 char *tmp;
-                char count=0;
+                char count = 0;
 
                 tmp = host;
-                while((tmp-host)<strlen(host))
+                while((tmp - host) < strlen(host))
                 {
-	                if((tmp=strchr(tmp,'.'))==NULL) 
+	                if((tmp = strchr(tmp,'.')) == NULL) 
 				break;
         	        count++;
                 	tmp++;
@@@@ -3154,8 +3159,8 @@@@
                 for (i = 0; i < count; i++)
                         tmp = strchr(tmp, '.') + 1;
                 *tmp = '\0';
-                strcat(result, host);
-                strcat(result, "*");
+                strlcat(result, host, sizeof result);
+                strlcat(result, "*", sizeof result);
 	}
 	else
 	{
@@@@ -3177,17 +3182,18 @@@@
 			else
 				return (char *) NULL;
 		}
+		
+		/* We don't need strlcat for these first two, because
+		 * at this point the maximum length of the string in
+		 * result is 10 */
 		strcat(result, "*");
 		if (my_stricmp(host, temphost))
 			strcat(result, ".");
-		strcat(result, host);
+		strlcat(result, host, sizeof result);
 	}
 	return result;
 }
 
-
-
-
 struct _sock_manager
 {
 	int init;
@