From 5f2e79c949e44002ecca576cee0aecd1e02fbdf8 Mon Sep 17 00:00:00 2001 From: Michael Ortmann Date: Mon, 16 Oct 2023 09:40:06 +0200 Subject: [PATCH] Fix snprintf() overlaps destination object for optimize_kicks == 2 --- src/mod/server.mod/server.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/mod/server.mod/server.c b/src/mod/server.mod/server.c index aea437f66..448724422 100644 --- a/src/mod/server.mod/server.c +++ b/src/mod/server.mod/server.c @@ -568,13 +568,16 @@ static void check_queues(char *oldnick, char *newnick) static void parse_q(struct msgq_head *q, char *oldnick, char *newnick) { struct msgq *m, *lm = NULL; - char buf[SENDLINEMAX], *msg, *nicks, *nick, *chan, newnicks[SENDLINEMAX], newmsg[SENDLINEMAX]; + char buf[SENDLINEMAX], *msg, *nicks, *nick, *chan, newnicks[SENDLINEMAX], + newmsg[SENDLINEMAX]; int changed; + size_t len; for (m = q->head; m;) { changed = 0; - if (optimize_kicks == 2 && !strncasecmp(m->msg, "KICK ", 5)) { + if (optimize_kicks == 2 && !strncasecmp(m->msg, "KICK", 4)) { newnicks[0] = 0; + len = 0; strlcpy(buf, m->msg, sizeof buf); msg = buf; newsplit(&msg); @@ -586,10 +589,11 @@ static void parse_q(struct msgq_head *q, char *oldnick, char *newnick) ((9 + strlen(chan) + strlen(newnicks) + strlen(newnick) + strlen(nicks) + strlen(msg)) < SENDLINEMAX-1)) { if (newnick) - egg_snprintf(newnicks, sizeof newnicks, "%s,%s", newnicks, newnick); + len += snprintf(newnicks + len, (sizeof newnicks) - len, ",%s", + newnick); /* Concatenation */ changed = 1; } else - egg_snprintf(newnicks, sizeof newnicks, ",%s", nick); + snprintf(newnicks, sizeof newnicks, ",%s", nick); } egg_snprintf(newmsg, sizeof newmsg, "KICK %s %s %s", chan, newnicks + 1, msg);