net/irssi-icb Segmentation fault

Sat, 04 Jun 2016 23:08:40 -0700 

ICB has been designed for a user always need to be joined to a group.
With the irssi-icb module you can break this rule currently by running
the '/window close' command and therefore crash irssi simply:

        /window close
        /j 2
        Segmentation fault (core dumped)

icb-channels.c:icb_change_channel() will try to compare the current
group with the new group on the next join command, and in case of a
previous '/window close' irssi has already destroyed our group and
freed the reference to it.  Hence icb_change_channel() is comparing
a group string against a freed memory address and segfaults.

Attached patch disables the '/window close' command for ICB
connections, since this just shouldn't be supported.


Index: net/irssi-icb/Makefile
===================================================================
RCS file: /cvs/ports/net/irssi-icb/Makefile,v
retrieving revision 1.39
diff -u -p -u -p -r1.39 Makefile
--- net/irssi-icb/Makefile      16 Mar 2016 21:19:38 -0000      1.39
+++ net/irssi-icb/Makefile      5 Jun 2016 05:54:40 -0000
@@ -7,6 +7,7 @@ GH_PROJECT=     irssi-icb
 GH_COMMIT=     8f7060835355d5f620a5d3b75a45336ab8efefd9
 
 DISTNAME=      irssi-icb-0.16pre20160307
+REVISION=      0
 
 CATEGORIES=     net
 
Index: net/irssi-icb/patches/patch-src_core_icb-commands_c
===================================================================
RCS file: net/irssi-icb/patches/patch-src_core_icb-commands_c
diff -N net/irssi-icb/patches/patch-src_core_icb-commands_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ net/irssi-icb/patches/patch-src_core_icb-commands_c 5 Jun 2016 05:54:40 
-0000
@@ -0,0 +1,29 @@
+--- src/core/icb-commands.c.orig       Mon Mar  7 09:54:15 2016
++++ src/core/icb-commands.c    Sun Jun  5 04:36:09 2016
+@@ -101,6 +101,18 @@
+       }
+ }
+ 
++static void cmd_window(const char *data, ICB_SERVER_REC *server)
++{
++      CMD_ICB_SERVER(server);
++
++      /*
++       * Disable the '/window close' command because in ICB you should
++       * always be joined to a group.  Otherwise nasty things can happen.
++       */
++      if (*data != '\0' && (*data == 'c' || *data == 'C'))
++              signal_stop();
++}
++
+ void icb_commands_init(void)
+ {
+       char **cmd;
+@@ -116,6 +128,7 @@
+         command_bind_icb("kick", NULL, (SIGNAL_FUNC) cmd_boot);
+         command_bind_icb("g", NULL, (SIGNAL_FUNC) cmd_group);
+         command_bind_icb("beep", NULL, (SIGNAL_FUNC) cmd_beep);
++        command_bind_icb("window", NULL, (SIGNAL_FUNC) cmd_window);
+ 
+       command_set_options("connect", "+icbnet");
+ }

Reply via email to