summaryrefslogtreecommitdiff
path: root/src/plugins
diff options
context:
space:
mode:
authorSébastien Helleu <flashcode@flashtux.org>2014-05-24 18:18:11 +0200
committerSébastien Helleu <flashcode@flashtux.org>2014-05-24 18:18:11 +0200
commitfaae8f470b3f1cec6b77c7844b78ac64ce2845b6 (patch)
tree0c78cdda29a5b02d8d32e96bc11c4a155bce5212 /src/plugins
parent7aaf3be15bdb3ff2bd9815cc35bd1699c20ce7a6 (diff)
downloadweechat-faae8f470b3f1cec6b77c7844b78ac64ce2845b6.zip
relay: check pointers received in hdata command to prevent crashes with bad pointers (WeeChat protocol)
Diffstat (limited to 'src/plugins')
-rw-r--r--src/plugins/relay/weechat/relay-weechat-msg.c32
-rw-r--r--src/plugins/relay/weechat/relay-weechat-msg.h4
-rw-r--r--src/plugins/relay/weechat/relay-weechat-protocol.c66
3 files changed, 75 insertions, 27 deletions
diff --git a/src/plugins/relay/weechat/relay-weechat-msg.c b/src/plugins/relay/weechat/relay-weechat-msg.c
index c05aa1e44..0d2bb4809 100644
--- a/src/plugins/relay/weechat/relay-weechat-msg.c
+++ b/src/plugins/relay/weechat/relay-weechat-msg.c
@@ -541,9 +541,13 @@ relay_weechat_msg_add_hdata_path (struct t_relay_weechat_msg *msg,
*
* Argument keys is optional: if not NULL, comma-separated list of keys to
* return for hdata.
+ *
+ * Returns:
+ * 1: hdata added to message
+ * 0: error (hdata NOT added to message)
*/
-void
+int
relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
const char *path, const char *keys)
{
@@ -553,9 +557,11 @@ relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
const char *hdata_name, *array_size;
void *pointer, **path_pointers;
long unsigned int value;
- int num_keys, num_path, i, type, pos_count, count, rc;
+ int rc, num_keys, num_path, i, type, pos_count, count, rc_sscanf;
uint32_t count32;
+ rc = 0;
+
hdata_head = NULL;
list_keys = NULL;
num_keys = 0;
@@ -587,9 +593,23 @@ relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
pos[0] = '\0';
if (strncmp (list_path[0], "0x", 2) == 0)
{
- rc = sscanf (list_path[0], "%lx", &value);
- if ((rc != EOF) && (rc != 0))
+ rc_sscanf = sscanf (list_path[0], "%lx", &value);
+ if ((rc_sscanf != EOF) && (rc_sscanf != 0))
+ {
pointer = (void *)value;
+ if (!weechat_hdata_check_pointer (ptr_hdata_head, NULL, pointer))
+ {
+ if (weechat_relay_plugin->debug >= 1)
+ {
+ weechat_printf (NULL,
+ _("%s: invalid pointer in hdata path: "
+ "\"%s\""),
+ RELAY_PLUGIN_NAME,
+ path);
+ }
+ goto end;
+ }
+ }
}
else
pointer = weechat_hdata_get_list (ptr_hdata_head, list_path[0]);
@@ -709,6 +729,8 @@ relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
count32 = htonl ((uint32_t)count);
relay_weechat_msg_set_bytes (msg, pos_count, &count32, 4);
+ rc = 1;
+
end:
if (list_keys)
weechat_string_free_split (list_keys);
@@ -720,6 +742,8 @@ end:
free (path_returned);
if (hdata_head)
free (hdata_head);
+
+ return rc;
}
/*
diff --git a/src/plugins/relay/weechat/relay-weechat-msg.h b/src/plugins/relay/weechat/relay-weechat-msg.h
index 4b4412d4a..0284563a5 100644
--- a/src/plugins/relay/weechat/relay-weechat-msg.h
+++ b/src/plugins/relay/weechat/relay-weechat-msg.h
@@ -68,8 +68,8 @@ extern void relay_weechat_msg_add_pointer (struct t_relay_weechat_msg *msg,
void *pointer);
extern void relay_weechat_msg_add_time (struct t_relay_weechat_msg *msg,
time_t time);
-extern void relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
- const char *path, const char *keys);
+extern int relay_weechat_msg_add_hdata (struct t_relay_weechat_msg *msg,
+ const char *path, const char *keys);
extern void relay_weechat_msg_add_infolist (struct t_relay_weechat_msg *msg,
const char *name,
void *pointer,
diff --git a/src/plugins/relay/weechat/relay-weechat-protocol.c b/src/plugins/relay/weechat/relay-weechat-protocol.c
index d95747179..863a9b018 100644
--- a/src/plugins/relay/weechat/relay-weechat-protocol.c
+++ b/src/plugins/relay/weechat/relay-weechat-protocol.c
@@ -215,9 +215,11 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(hdata)
msg = relay_weechat_msg_new (id);
if (msg)
{
- relay_weechat_msg_add_hdata (msg, argv[0],
- (argc > 1) ? argv_eol[1] : NULL);
- relay_weechat_msg_send (client, msg);
+ if (relay_weechat_msg_add_hdata (msg, argv[0],
+ (argc > 1) ? argv_eol[1] : NULL))
+ {
+ relay_weechat_msg_send (client, msg);
+ }
relay_weechat_msg_free (msg);
}
@@ -311,7 +313,18 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(nicklist)
{
ptr_buffer = relay_weechat_protocol_get_buffer (argv[0]);
if (!ptr_buffer)
+ {
+ if (weechat_relay_plugin->debug >= 1)
+ {
+ weechat_printf (NULL,
+ _("%s: invalid buffer pointer in message: "
+ "\"%s %s\""),
+ RELAY_PLUGIN_NAME,
+ command,
+ argv_eol[0]);
+ }
return WEECHAT_RC_OK;
+ }
}
msg = relay_weechat_msg_new (id);
@@ -379,26 +392,37 @@ RELAY_WEECHAT_PROTOCOL_CALLBACK(input)
RELAY_WEECHAT_PROTOCOL_MIN_ARGS(2);
ptr_buffer = relay_weechat_protocol_get_buffer (argv[0]);
- if (ptr_buffer)
+ if (!ptr_buffer)
{
- pos = strchr (argv_eol[0], ' ');
- if (pos)
+ if (weechat_relay_plugin->debug >= 1)
{
- /*
- * use a timer to execute the command after we go back in the
- * WeeChat main loop (some commands like /upgrade executed now can
- * cause a crash)
- */
- timer_args = malloc (2 * sizeof (*timer_args));
- if (timer_args)
- {
- timer_args[0] = strdup (weechat_buffer_get_string (ptr_buffer,
- "full_name"));
- timer_args[1] = strdup (pos + 1);
- weechat_hook_timer (1, 0, 1,
- &relay_weechat_protocol_input_timer_cb,
- timer_args);
- }
+ weechat_printf (NULL,
+ _("%s: invalid buffer pointer in message: "
+ "\"%s %s\""),
+ RELAY_PLUGIN_NAME,
+ command,
+ argv_eol[0]);
+ }
+ return WEECHAT_RC_OK;
+ }
+
+ pos = strchr (argv_eol[0], ' ');
+ if (pos)
+ {
+ /*
+ * use a timer to execute the command after we go back in the
+ * WeeChat main loop (some commands like /upgrade executed now can
+ * cause a crash)
+ */
+ timer_args = malloc (2 * sizeof (*timer_args));
+ if (timer_args)
+ {
+ timer_args[0] = strdup (weechat_buffer_get_string (ptr_buffer,
+ "full_name"));
+ timer_args[1] = strdup (pos + 1);
+ weechat_hook_timer (1, 0, 1,
+ &relay_weechat_protocol_input_timer_cb,
+ timer_args);
}
}