summaryrefslogtreecommitdiff
path: root/src/plugins
diff options
context:
space:
mode:
authorSébastien Helleu <flashcode@flashtux.org>2022-09-10 13:42:35 +0200
committerSébastien Helleu <flashcode@flashtux.org>2022-09-10 13:43:45 +0200
commit9cb68b13a94175b6fc64a9d9f20b2b923a1c0b09 (patch)
tree7ba5a074e5076627905279ae4842f54551a5a8c0 /src/plugins
parent5070a6330c09d8025ce1209686cac071753589ef (diff)
downloadweechat-9cb68b13a94175b6fc64a9d9f20b2b923a1c0b09.zip
irc: replace chars "\01" by spaces in CTCP replies (closes #1819)
This prevents any attack due to an external security issue in the Linux netfilter implementation (nf_conntrack_irc). See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2663
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/irc/irc-ctcp.c115
1 files changed, 68 insertions, 47 deletions
diff --git a/src/plugins/irc/irc-ctcp.c b/src/plugins/irc/irc-ctcp.c
index 23323d017..2faab81e3 100644
--- a/src/plugins/irc/irc-ctcp.c
+++ b/src/plugins/irc/irc-ctcp.c
@@ -270,15 +270,32 @@ irc_ctcp_reply_to_nick (struct t_irc_server *server,
{
struct t_hashtable *hashtable;
int number;
- char hash_key[32];
+ char hash_key[32], *str_args_color, *dup_ctcp, *dup_args;
const char *str_args;
- char *str_args_color, *ctcp_upper;
- ctcp_upper = strdup (ctcp);
- if (!ctcp_upper)
- return;
+ dup_ctcp = NULL;
+ dup_args = NULL;
+ hashtable = NULL;
+
+ /*
+ * replace any "\01" by a space to prevent any firewall attack via
+ * nf_conntrack_irc (CVE-2022-2663)
+ */
+ dup_ctcp = weechat_string_replace (ctcp, "\01", " ");
+ if (!dup_ctcp)
+ goto end;
+ weechat_string_toupper (dup_ctcp);
- weechat_string_toupper (ctcp_upper);
+ if (arguments)
+ {
+ /*
+ * replace any "\01" by a space to prevent any firewall attack via
+ * nf_conntrack_irc (CVE-2022-2663)
+ */
+ dup_args = weechat_string_replace (arguments, "\01", " ");
+ if (!dup_args)
+ goto end;
+ }
hashtable = irc_server_sendf (
server,
@@ -286,53 +303,57 @@ irc_ctcp_reply_to_nick (struct t_irc_server *server,
NULL,
"NOTICE %s :\01%s%s%s\01",
nick,
- ctcp_upper,
- (arguments) ? " " : "",
- (arguments) ? arguments : "");
+ dup_ctcp,
+ (dup_args) ? " " : "",
+ (dup_args) ? dup_args : "");
+ if (!hashtable)
+ goto end;
- if (hashtable)
+ if (weechat_config_boolean (irc_config_look_display_ctcp_reply))
{
- if (weechat_config_boolean (irc_config_look_display_ctcp_reply))
+ number = 1;
+ while (1)
{
- number = 1;
- while (1)
- {
- snprintf (hash_key, sizeof (hash_key), "args%d", number);
- str_args = weechat_hashtable_get (hashtable, hash_key);
- if (!str_args)
- break;
- str_args_color = irc_color_decode (str_args, 1);
- if (!str_args_color)
- break;
- weechat_printf_date_tags (
- irc_msgbuffer_get_target_buffer (
- server, nick, NULL, "ctcp",
- (channel) ? channel->buffer : NULL),
- 0,
- irc_protocol_tags (
- command,
- tags,
- "irc_ctcp,irc_ctcp_reply,self_msg,notify_none,"
- "no_highlight",
- NULL, NULL),
- _("%sCTCP reply to %s%s%s: %s%s%s%s%s"),
- weechat_prefix ("network"),
- irc_nick_color_for_msg (server, 0, NULL, nick),
- nick,
- IRC_COLOR_RESET,
- IRC_COLOR_CHAT_CHANNEL,
- ctcp_upper,
- (str_args_color[0]) ? IRC_COLOR_RESET : "",
- (str_args_color[0]) ? " " : "",
- str_args_color);
- free (str_args_color);
- number++;
- }
+ snprintf (hash_key, sizeof (hash_key), "args%d", number);
+ str_args = weechat_hashtable_get (hashtable, hash_key);
+ if (!str_args)
+ break;
+ str_args_color = irc_color_decode (str_args, 1);
+ if (!str_args_color)
+ break;
+ weechat_printf_date_tags (
+ irc_msgbuffer_get_target_buffer (
+ server, nick, NULL, "ctcp",
+ (channel) ? channel->buffer : NULL),
+ 0,
+ irc_protocol_tags (
+ command,
+ tags,
+ "irc_ctcp,irc_ctcp_reply,self_msg,notify_none,"
+ "no_highlight",
+ NULL, NULL),
+ _("%sCTCP reply to %s%s%s: %s%s%s%s%s"),
+ weechat_prefix ("network"),
+ irc_nick_color_for_msg (server, 0, NULL, nick),
+ nick,
+ IRC_COLOR_RESET,
+ IRC_COLOR_CHAT_CHANNEL,
+ dup_ctcp,
+ (str_args_color[0]) ? IRC_COLOR_RESET : "",
+ (str_args_color[0]) ? " " : "",
+ str_args_color);
+ free (str_args_color);
+ number++;
}
- weechat_hashtable_free (hashtable);
}
- free (ctcp_upper);
+end:
+ if (dup_ctcp)
+ free (dup_ctcp);
+ if (dup_args)
+ free (dup_args);
+ if (hashtable)
+ weechat_hashtable_free (hashtable);
}
/*