Package: tinyirc
Version: 1:1.1.dfsg.1-1
Severity: normal
Tags: security
During source code reading of tinyirc I stumbled over a
problem:
tinyirc has many functions like:
372 static int dotopic()
373 {
374 printf("*** %s set %s topic to \"%s\"", TOK[0], TOK[2],
375 TOK[3]);
376 return 0;
377 }
The problem here is that it never checks if TOK[3] for example is != NULL.
It just assumes it is there depending on the command it got by the server.
If the server has a bug or this is a malicious server the client would crash.
Its most obvious in the donumeric function:
378 int donumeric(num)
379 int num;
380 {
381 switch (num) {
382 case 352:
383 column = printf("%-14s %-10s %-3s [EMAIL PROTECTED] :", TOK[3], TOK[7],
384 TOK[8], TOK[4], TOK[5]);
385 return 9;
386 case 311:
If you for example send ":foo 352 baz" as server this code will result in a
segmentation fault.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp7fKbgdEmxJ.pgp
Description: PGP signature
