[eggheads-patches] PATCH: strncpysux.patch

Peter 'Rattacresh' Backes rtc at rhrk.uni-kl.de
Mon Oct 18 14:18:17 CST 1999


Toth wrote:

> Well, whoever and whatever br0ke /dcc chat, any bot running +RC2 or
> current cvs crashes when you /dcc chat em. '.chat' by itself won't 
put you
> on the partyline anymore either (*looks around growling* who broke 
this??)

One of my patch *revealed* this, but didn't break it.
Another one-byte-overrun in strncpy causes this (in the past, too, if 
the len of the host was > 255 chars ;) but since my patch terminated 
the buffer and wrote a \0 at [256], it now crashed anytime.

So use the patch and have one possible 'non-reproducible' SEGV less.
I even guess that if you can spoof a host of lets say length 300, you 
can crash any bot with this bug... But maybe backend routines cut it 
at byte 120 so I'm not sure.


-- Peter 'Rattacresh' Backes, rtc at rhrk.uni-kl.de

-------------- next part --------------
diff -urN eggdrop1.3.29/doc/UPDATES1.3 eggdrop1.3.29+strncpysux/doc/UPDATES1.3
--- eggdrop1.3.29/doc/UPDATES1.3	Mon Oct 18 16:07:01 1999
+++ eggdrop1.3.29+strncpysux/doc/UPDATES1.3	Mon Oct 18 16:07:59 1999
@@ -4,6 +4,7 @@
 
 1.3.29
 Foundby   Fixedby   What....
+          rtc       fixed one more SEGV case that was revealed by another patch
           Tothwolf  we use autoheader to make config.h.in now
 Tothwolf  guppy     added some #ifdef's for snprintf
           rtc       .chnick can now rename any +b to the bots nick if
diff -urN eggdrop1.3.29/src/net.c eggdrop1.3.29+strncpysux/src/net.c
--- eggdrop1.3.29/src/net.c	Mon Oct 18 16:07:01 1999
+++ eggdrop1.3.29+strncpysux/src/net.c	Mon Oct 18 16:06:10 1999
@@ -956,13 +956,13 @@
   /* These should pad like crazy with zeros, since 120 bytes or so is
    * where the routines providing our data currently lose interest. I'm
    * using the n-variant in case someone changes that... */
-  strncpy(hostname, extracthostname(from), 256);
-  hostname[256] = 0;
+  strncpy(hostname, extracthostname(from), 255);
+  hostname[255] = 0;
   /* But if they are changed one day, this might crash 
    * without [256] = 0; ++rtc
    */
-  strncpy(dnsname, hostnamefromip(my_htonl(ip)), 256);
-  dnsname[256] = 0;
+  strncpy(dnsname, hostnamefromip(my_htonl(ip)), 255);
+  dnsname[255] = 0;
   if (!strcasecmp(hostname, dnsname)) {
     putlog(LOG_DEBUG, "*", "DNS information for submitted IP checks out.");
     return 1;


More information about the Patches mailing list