Guard against NULL from pretty_mask

include/defaults.h

@@ -51,6 +51,7 @@
 #define CLIENT_FLOOD_MIN     10
 #define LINKS_DELAY_DEFAULT  300
 #define MAX_TARGETS_DEFAULT 4	/* default for max_targets */
+#define MAX_TARGETS 512		/* hard limit for max_targets */
 #define IDENT_TIMEOUT 10
 #define MIN_JOIN_LEAVE_TIME  60
 #define MAX_JOIN_LEAVE_COUNT  25

include/ircd_defs.h

@@ -84,7 +84,10 @@
 #endif
 
 
-#define NICKLEN		30
+#define NICKLEN		(30+1)    /* Make the default 31, NICKLEN buffers 
+				 * are to include the trailing \0
+				 * This makes the functional nicklen max 30
+				 */
 #define DEFAULT_NICKLEN 9
 #define HOSTLEN		63	/* Length of hostname.	Updated to	   */
 				/* comply with RFC1123			   */

libratbox/src/linebuf.c

@@ -244,6 +244,8 @@ rb_linebuf_copy_line(rb_buf_head_t * bufhead, rb_buf_line_t * bufline, char *dat
 	/* This is the ~overflow case..This doesn't happen often.. */
 	if(cpylen > (BUF_DATA_SIZE - bufline->len - 1))
 	{
+		size_t old_len = bufline->len;
+
 		cpylen = BUF_DATA_SIZE - bufline->len - 1;
 		memcpy(bufch, ch, cpylen);
 		bufline->buf[BUF_DATA_SIZE - 1] = '\0';
@@ -256,7 +258,7 @@ rb_linebuf_copy_line(rb_buf_head_t * bufhead, rb_buf_line_t * bufline, char *dat
 		}
 		bufline->terminated = true;
 		bufline->len = BUF_DATA_SIZE - 1;
-		bufhead->len += BUF_DATA_SIZE - 1;
+		bufhead->len += bufline->len - old_len;
 		return clen;
 	}
 
@@ -319,13 +321,15 @@ rb_linebuf_copy_raw(rb_buf_head_t * bufhead, rb_buf_line_t * bufline, char *data
 	/* This is the overflow case..This doesn't happen often.. */
 	if(cpylen > (BUF_DATA_SIZE - bufline->len - 1))
 	{
+		size_t old_len = bufline->len;
+
 		clen = BUF_DATA_SIZE - (ssize_t)bufline->len - 1;
 		memcpy(bufch, ch, (size_t)clen);
 		bufline->buf[BUF_DATA_SIZE - 1] = '\0';
 		bufch = bufline->buf + BUF_DATA_SIZE - 2;
 		bufline->terminated = true;
 		bufline->len = BUF_DATA_SIZE - 1;
-		bufhead->len += BUF_DATA_SIZE - 1;
+		bufhead->len += bufline->len - old_len;
 		return clen;
 	}
 
@@ -889,4 +893,3 @@ unsigned int rb_linebuf_numlines(rb_buf_head_t *bufhead)
 }
 
 
-

libratbox/src/openssl.c

@@ -133,6 +133,7 @@ rb_ssl_timeout(rb_fde_t *F, void *notused)
 static void
 rb_ssl_info_callback(SSL * ssl, int where, int ret)
 {
+	/* this shouldn't happen anymore with renegotiation disabled */
 	if(where & SSL_CB_HANDSHAKE_START)
 	{
 		rb_fde_t *F = SSL_get_ex_data(ssl, libratbox_index);
@@ -369,8 +370,12 @@ rb_init_ssl(void)
 {
 	int ret = 1;
 	char libratbox_data[] = "libratbox data";
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_load_error_strings();
 	SSL_library_init();
+#else
+	OPENSSL_init_ssl(0, NULL);
+#endif
 	libratbox_index = SSL_get_ex_new_index(0, libratbox_data, NULL, NULL, NULL);
 
 	return ret;
@@ -405,7 +410,7 @@ rb_setup_ssl_client(const char *ssl_cipher_list, const char *cert, const char *k
 
 	sctx = rb_malloc(sizeof(rb_ssl_ctx));	
 	sctx->refcount = 1;
-        sctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+        sctx->ssl_ctx = SSL_CTX_new(TLS_client_method());
 
         SSL_CTX_set_options(sctx->ssl_ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION);
         if(sctx->ssl_ctx == NULL)
@@ -458,7 +463,7 @@ rb_setup_ssl_server(const char *cacert, const char *cert, const char *keyfile, c
 	long tls_opts;
 	sctx = rb_malloc(sizeof(rb_ssl_ctx));
 	sctx->refcount = 1;
-	sctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
+	sctx->ssl_ctx = SSL_CTX_new(TLS_server_method());
 	if(sctx->ssl_ctx == NULL)
 	{
 		rb_lib_log("rb_init_openssl: Unable to initialize OpenSSL server context: %s",
@@ -468,8 +473,9 @@ rb_setup_ssl_server(const char *cacert, const char *cert, const char *keyfile, c
 	}
 
 	tls_opts = SSL_CTX_get_options(sctx->ssl_ctx);
+
 	/* Disable SSLv2, make the client use our settings */
-	tls_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION | SSL_OP_CIPHER_SERVER_PREFERENCE;
+	tls_opts |= SSL_OP_NO_SSLv2 | SSL_OP_NO_COMPRESSION | SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_RENEGOTIATION;
 	switch(tls_min_ver)
 	{
 		case RB_TLS_VER_SSL3: /* we default to SSLv3..sadly */
@@ -554,7 +560,7 @@ rb_setup_ssl_server(const char *cacert, const char *cert, const char *keyfile, c
 		goto cleanup;;
 	}
 
-
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if(dhfile != NULL)
 	{
 		/* DH parameters aren't necessary, but they are nice..if they didn't pass one..that is their problem */
@@ -587,9 +593,13 @@ rb_setup_ssl_server(const char *cacert, const char *cert, const char *keyfile, c
 				   dhfile, ERR_error_string(err, NULL));
 			goto cleanup;	  
 		}
-	}
+	} 
+#else
+	SSL_CTX_set_dh_auto(sctx->ssl_ctx, 1);
+#endif
+
 
-#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
+#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && (OPENSSL_VERSION_NUMBER < 0x30000000L)
 #ifndef OPENSSL_NO_ECDH
 
 	if(named_curve != NULL)
@@ -847,11 +857,16 @@ rb_get_random(void *buf, size_t length)
 int
 rb_get_pseudo_random(void *buf, size_t length)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	int ret;
 	ret = RAND_pseudo_bytes(buf, (int)length);
+
 	if(ret < 0)
 		return 0;
 	return 1;
+#else
+	return rb_get_random(buf, length);
+#endif
 }
 
 const char *
@@ -899,11 +914,20 @@ rb_supports_ssl(void)
 	return true;
 }
 
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+# define rb_ssl_version_num() (long)SSLeay()
+# define rb_ssl_version_str() SSLeay_version(SSLEAY_VERSION)
+#else
+# define rb_ssl_version_num() (long)OpenSSL_version_num()
+# define rb_ssl_version_str() OpenSSL_version(OPENSSL_VERSION)
+#endif
+
 void
 rb_get_ssl_info(char *buf, size_t len)
 {
 	snprintf(buf, len, "Using SSL: %s compiled: 0x%lx, library 0x%lx",
-		 SSLeay_version(SSLEAY_VERSION), (long)OPENSSL_VERSION_NUMBER, SSLeay());
+		 rb_ssl_version_str(), (long)OPENSSL_VERSION_NUMBER, rb_ssl_version_num());
 }
 
 #endif /* HAVE_OPESSL */

modules/core/m_message.c

@@ -110,7 +110,7 @@ static int flood_attack_channel(int p_or_n, struct Client *source_p, struct Chan
 static struct Client *find_userhost(const char *, const char *, int *);
 
 
-static struct entity targets[512];
+static struct entity targets[MAX_TARGETS];
 static int ntargets = 0;
 
 static bool duplicate_ptr(void *);
@@ -257,6 +257,8 @@ build_target_list(int p_or_n, const char *command, struct Client *client_p,
 	char *p, *nick, *target_list;
 	struct Channel *chptr = NULL;
 	struct Client *target_p;
+	const int max_targets = (ConfigFileEntry.max_targets > MAX_TARGETS) ?
+		MAX_TARGETS : ConfigFileEntry.max_targets;
 
 	target_list = LOCAL_COPY(nicks_channels);
 
@@ -280,7 +282,7 @@ build_target_list(int p_or_n, const char *command, struct Client *client_p,
 			{
 				if(!duplicate_ptr(chptr))
 				{
-					if(ntargets >= ConfigFileEntry.max_targets)
+					if(ntargets >= max_targets)
 					{
 						sendto_one_numeric(source_p, s_RPL(ERR_TOOMANYTARGETS), nick);
 						return (1);
@@ -307,7 +309,7 @@ build_target_list(int p_or_n, const char *command, struct Client *client_p,
 		{
 			if(!duplicate_ptr(target_p))
 			{
-				if(ntargets >= ConfigFileEntry.max_targets)
+				if(ntargets >= max_targets)
 				{
 					sendto_one_numeric(source_p, s_RPL(ERR_TOOMANYTARGETS), nick);
 					return (1);
@@ -362,7 +364,7 @@ build_target_list(int p_or_n, const char *command, struct Client *client_p,
 
 				if(!duplicate_ptr(chptr))
 				{
-					if(ntargets >= ConfigFileEntry.max_targets)
+					if(ntargets >= max_targets)
 					{
 						sendto_one_numeric(source_p, s_RPL(ERR_TOOMANYTARGETS), nick);
 						return (1);

modules/core/m_mode.c

@@ -889,6 +889,9 @@ chm_ban(struct Client *source_p, struct Channel *chptr,
 	else
 		mask = pretty_mask(raw_mask);
 
+	if(mask == NULL)
+		return;
+
 	/* we'd have problems parsing this, hyb6 does it too */
 	if(strlen(mask) > (MODEBUFLEN - 2))
 		return;

modules/m_cap.c

@@ -109,18 +109,16 @@ clicap_compare(const char *name, struct clicap *cap)
  * Ouputs: Cap entry if found, NULL otherwise.
  */
 static struct clicap *
-clicap_find(const char *data, int *negate, int *finished, char **p)
+clicap_find(const char *data, int *negate, int *finished, char *buf, size_t bufsz, char **p)
 {
-	char buf[IRCD_BUFSIZE];
-//	static char *p = NULL;
 	struct clicap *cap;
 	char *s;
 
 	*negate = 0;
 
 	if(data != NULL)
 	{
-		rb_strlcpy(buf, data, sizeof(buf));
+		rb_strlcpy(buf, data, bufsz);
 		*p = buf;
 	} 
 
@@ -270,14 +268,15 @@ static void
 cap_ack(struct Client *source_p, const char *arg)
 {
 	struct clicap *cap;
+	char clicap_buf[IRCD_BUFSIZE];
 	int capadd = 0, capdel = 0;
 	int finished = 0, negate;
 	char *p = NULL;
 	if(EmptyString(arg))
 		return;
 
-	for(cap = clicap_find(arg, &negate, &finished, &p); cap;
-	    cap = clicap_find(NULL, &negate, &finished, &p))
+	for(cap = clicap_find(arg, &negate, &finished, clicap_buf, sizeof(clicap_buf), &p); cap;
+	    cap = clicap_find(NULL, &negate, &finished, clicap_buf, sizeof(clicap_buf), &p))
 	{
 		/* sent an ACK for something they havent REQd */
 		if(!IsCapable(source_p, cap->cap_serv))
@@ -352,6 +351,7 @@ cap_req(struct Client *source_p, const char *arg)
 {
 	char buf[IRCD_BUFSIZE];
 	char pbuf[2][IRCD_BUFSIZE];
+	char clicap_buf[IRCD_BUFSIZE];
 	char *p = NULL;
 	struct clicap *cap;
 	int buflen, plen;
@@ -371,8 +371,8 @@ cap_req(struct Client *source_p, const char *arg)
 	pbuf[0][0] = '\0';
 	plen = 0;
 
-	for(cap = clicap_find(arg, &negate, &finished, &p); cap;
-	    cap = clicap_find(NULL, &negate, &finished, &p))
+	for(cap = clicap_find(arg, &negate, &finished, clicap_buf, sizeof(clicap_buf), &p); cap;
+	    cap = clicap_find(NULL, &negate, &finished, clicap_buf, sizeof(clicap_buf), &p))
 	{
 		/* filled the first array, but cant send it in case the
 		 * request fails.  one REQ should never fill more than two

modules/m_dline.c

@@ -202,29 +202,23 @@ mo_undline(struct Client *client_p, struct Client *source_p, int parc, const cha
 	}
 
 	host = LOCAL_COPY(aconf->host);
-	remove_dline(aconf);
-
-	if(!(aconf->flags & CONF_FLAGS_TEMPORARY))
-	{
-		bandb_del(BANDB_DLINE, host, NULL);
-
-		sendto_one_notice(source_p, ":D-Line for [%s] is removed", host);
-		sendto_realops_flags(UMODE_ALL, L_ALL, "%s has removed the D-Line for: [%s]",
-				     get_oper_name(source_p), host);
-
-	}
-	else
+	if(aconf->flags & CONF_FLAGS_TEMPORARY)
 	{
-		rb_dlink_list *list;
-		list = &temp_dlines[aconf->port];
-		rb_dlinkFindDestroy(aconf, list);
+    rb_dlinkFindDestroy(aconf, &temp_dlines[aconf->port]);
+    remove_dline(aconf);
 		sendto_one_notice(source_p, ":Un-dlined [%s] from temporary D-lines", host);
 		sendto_realops_flags(UMODE_ALL, L_ALL,
 				     "%s has removed the temporary D-Line for: [%s]",
 				     get_oper_name(source_p), host);
 		return 0;
 	}
 
+  remove_dline(aconf);
+  bandb_del(BANDB_DLINE, host, NULL);
+  sendto_one_notice(source_p, ":D-Line for [%s] is removed", host);
+  sendto_realops_flags(UMODE_ALL, L_ALL, "%s has removed the D-Line for: [%s]",
+                       get_oper_name(source_p), host);
+
 	ilog(L_KLINE, "UD %s %s", get_oper_name(source_p), host);
 
 	return 0;
@@ -235,10 +229,12 @@ valid_dline(struct Client *source_p, const char *dlhost)
 {
 	char cidr_form_host[HOSTLEN + 1];
 	int bits;
+	int ty;
 
 	rb_strlcpy(cidr_form_host, dlhost, sizeof(cidr_form_host));
 
-	if(!parse_netmask(dlhost, NULL, &bits))
+	ty = parse_netmask(dlhost, NULL, &bits);
+	if(!ty || ty == HM_HOST)
 	{
 		sendto_one_notice(source_p, ":Invalid D-Line");
 		return 0;

src/hostmask.c

@@ -689,6 +689,6 @@ show_iline_prefix(struct Client *sptr, struct ConfItem *aconf, const char *name)
 	if(MyOper(sptr) && IsConfExemptLimits(aconf))
 		*prefix_ptr++ = '>';
 	*prefix_ptr = '\0';
-	strncpy(prefix_ptr, name, USERLEN);
+	rb_strlcpy(prefix_ptr, name, USERLEN + 1);
 	return (prefix_of_host);
 }

src/match.c

@@ -380,7 +380,7 @@ match_ips(const char *s1, const char *s2)
 	*len++ = '\0';
 
 	cidrlen = atoi(len);
-	if(cidrlen <= 0)
+	if(cidrlen < 0)
 		return 0;
 
 #ifdef RB_IPV6
@@ -410,6 +410,8 @@ match_ips(const char *s1, const char *s2)
 		return 0;
 	if(rb_inet_pton(aftype, mask, maskptr) <= 0)
 		return 0;
+	if(cidrlen == 0)
+		return 1;
 	if(comp_with_mask(ipptr, maskptr, cidrlen))
 		return 1;
 	else