Eggdev: [Bug 471] New: Buffer overflow in src/users.c

bugzilla-daemon at bugzilla-daemon at
Tue Nov 4 03:29:18 CST 2008

           Summary: Buffer overflow in src/users.c
           Product: Eggdrop 1.6
           Version: 1.6.19 CVS
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P3
         Component: core
        AssignedTo: eggdev at
        ReportedBy: pseudo at
   Estimated Hours: 0.0

Created an attachment (id=95)
 --> (
fix to buffer overflow in src/users.c

In function readuserfile(), eggdrop uses a variable 'ignored' to append
channels, masks for which are ignored. After channels are read from the
userfile, the contents of the variable are logged via putlog().

The 'ignored' variable is a fixed-size character array, but is supposed to
hold a string of channel names with unknown at compile-time length.
The problem with this is that channel names are appended to the variable
with strcat() without boundary checks, so if the list of ignored channels
grow too long during the runtime of readuserfile(), the capacity of the
'ignored' buffer will be exceeded. This can only happen if there is a large
amount of channels, which exist in the userfile being read, but not in the
channel file.

This was observed on a system, which defines _FORTIFY_SOURCE=2 by default,
so glibc terminates eggdrop with SIGABRT and a lengthy report of memory
usage dumped to console, after it discovers the overflow.

A simple solution to the problem is to replace the calls to strcat() with
calls to strncat(), so that the list of channels will be truncated if too
long. The optimal size of ignored[] is LOGLINEMAX, as the sole purpose of
this variable is to output the channels via putlog, and anything larger
will get truncated anyway.

Bug discovered by FireEgl, a patch made by me is attached.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the Eggdev mailing list