Permalink
Browse files

Fix an dangerous substr() call

A malicious IRCd could send a WHO reply for a nick which consisted completely
out of prefix characters (thus an empty nick). In this case
std::string::find_first_of() would return std::string::npos. This argument would
make std::string::substr() throw an exception and kill the process.

Signed-off-by: Uli Schlachter <psychon@znc.in>
  • Loading branch information...
1 parent 95053f4 commit d5b84f50db49a572ed9e3ca15a472922c7d70930 @psychon psychon committed Mar 30, 2012
Showing with 8 additions and 4 deletions.
  1. +8 −4 src/IRCSock.cpp
View
@@ -330,10 +330,14 @@ void CIRCSock::ReadLine(const CString& sData) {
// The client doesn't support multi-prefix so we need to remove
// the other prefixes.
- CString sNewLine = sServer + " 352 " + sLine.Token(2) + " " + \
- sLine.Token(3) + " " + sIdent + " " + sHost + " " + \
- sLine.Token(6) + " " + sNick[0] + \
- sNick.substr(sNick.find_first_not_of(GetPerms())) + " " + \
+ CString sNewNick = sNick;
+ size_t pos = sNick.find_first_not_of(GetPerms());
+ if (pos >= 2 && pos != CString::npos) {
+ sNewNick = sNick[0] + sNick.substr(pos);
+ }
+ CString sNewLine = sServer + " 352 " + sLine.Token(2) + " " +
+ sLine.Token(3) + " " + sIdent + " " + sHost + " " +
+ sLine.Token(6) + " " + sNewNick + " " +
sLine.Token(8, true);
m_pNetwork->PutUser(sNewLine, pClient);
}

0 comments on commit d5b84f5

Please sign in to comment.