commit 463c5cb7c5ea272035ea05524001dddbe43156cf
from: Florian Westphal <fw@strlen.de>
date: Mon Jan 07 11:42:00 2008 UTC

IRC_PART could reference invalid memory.

commit - 7548aa089c73a12d2fac3430e8ebb976a9bab4e3
commit + 463c5cb7c5ea272035ea05524001dddbe43156cf
blob - 28d3ada0ef94332987c64734b7650cc7a64e6cf5
blob + d0d009a35219e9b790b559bd7c1cb9c3c6e4f569
--- ChangeLog
+++ ChangeLog
@@ -12,6 +12,8 @@
 
 ngIRCd HEAD
 
+  - SECURITY: IRC_PART could reference invalid memory, causing
+    ngircd to crash.
   - Use dotted-decimal IP address if hostname is >= 64.
   - Add support for /STAT u (server uptime) command.
   - New [Server] configuration Option "Bind" allows to specify
@@ -724,4 +726,4 @@ ngIRCd 0.0.1, 31.12.2001
 
 
 -- 
-$Id: ChangeLog,v 1.332 2008/01/02 11:31:48 alex Exp $
+$Id: ChangeLog,v 1.333 2008/01/07 11:42:00 fw Exp $
blob - 03204d653af7072258b7844c29978f8087b902b6
blob + fcc6e4aadde4e067d183864f30e5a8eb133ff54a
--- src/ngircd/irc-channel.c
+++ src/ngircd/irc-channel.c
@@ -14,7 +14,7 @@
 
 #include "portab.h"
 
-static char UNUSED id[] = "$Id: irc-channel.c,v 1.40 2007/07/31 18:56:14 alex Exp $";
+static char UNUSED id[] = "$Id: irc-channel.c,v 1.41 2008/01/07 11:42:00 fw Exp $";
 
 #include "imp.h"
 #include <assert.h>
@@ -269,8 +269,9 @@ IRC_PART( CLIENT *Client, REQUEST *Req )
 	assert( Client != NULL );
 	assert( Req != NULL );
 
-	/* Falsche Anzahl Parameter? */
-	if(( Req->argc > 2 )) return IRC_WriteStrClient( Client, ERR_NEEDMOREPARAMS_MSG, Client_ID( Client ), Req->command );
+	if (Req->argc < 1 || Req->argc > 2)
+		return IRC_WriteStrClient(Client, ERR_NEEDMOREPARAMS_MSG,
+					Client_ID(Client), Req->command);
 
 	/* Wer ist der Absender? */
 	if( Client_Type( Client ) == CLIENT_SERVER ) target = Client_Search( Req->prefix );
@@ -278,18 +279,11 @@ IRC_PART( CLIENT *Client, REQUEST *Req )
 	if( ! target ) return IRC_WriteStrClient( Client, ERR_NOSUCHNICK_MSG, Client_ID( Client ), Req->prefix );
 
 	/* Channel-Namen durchgehen */
-	chan = strtok( Req->argv[0], "," );
-	while( chan )
-	{
-		if( ! Channel_Part( target, Client, chan, Req->argc > 1 ? Req->argv[1] : Client_ID( target )))
-		{
-			/* naechsten Namen ermitteln */
-			chan = strtok( NULL, "," );
-			continue;
-		}
+	chan = strtok(Req->argv[0], ",");
+	while (chan) {
+		Channel_Part(target, Client, chan, Req->argc > 1 ? Req->argv[1] : Client_ID(target));
 
-		/* naechsten Namen ermitteln */
-		chan = strtok( NULL, "," );
+		chan = strtok(NULL, ",");
 	}
 	return CONNECTED;
 } /* IRC_PART */