[Parser]: Don't use Client_Type after command has been processed.

This caused a read from already free'd memory, if the processed
command (IRC_QUIT) calls Client_Destroy. (from HEAD)

ChangeLog

@@ -1,7 +1,7 @@
 
                      ngIRCd - Next Generation IRC Server
 
-                        (c)2001-2007 Alexander Barton,
+                        (c)2001-2008 Alexander Barton,
                     alex@barton.de, http://www.barton.de/
 
                ngIRCd is free software and published under the
@@ -9,9 +9,22 @@
 
                                -- ChangeLog --
 
+ngIRCd 0.10.4 (2008-01-07)
 
-ngIRCd 0.10.2 (2007-05-05)
+  - SECURITY: IRC_PART could reference invalid memory, causing
+    ngircd to crash.
 
+ngIRCd 0.10.3 (2007-07-31)
+
+  - SECURITY: Fixed a severe bug in handling JOIN commands, which could
+    cause the server to crash. Thanks to Sebastian Vesper, <net@veoson.net>.
+
+ngIRCd 0.10.2 (2007-06-08)
+
+  ngIRCd 0.10.2-pre2 (2007-05-19)
+  - Server links are allowed to use larger write buffers now (up to 50 KB).
+
+  ngIRCd 0.10.2-pre1 (2007-05-05)
   - Fix compressed server links (broken since 0.10.0).
   - Predefined Channel configuration now allows specification of channel key
     (mode k) and maximum user count (mode l).
@@ -685,4 +698,4 @@ ngIRCd 0.0.1, 31.12.2001
 
 
 -- 
-$Id: ChangeLog,v 1.302.2.14 2007/05/05 20:43:11 alex Exp $
+$Id: ChangeLog,v 1.302.2.21 2008/01/07 20:57:39 alex Exp $

NEWS

@@ -10,7 +10,7 @@
                                   -- NEWS --
 
 
-ngIRCd 0.10.2 (2007-05-05)
+ngIRCd 0.10.2 (2007-06-08)
 
   - Predefined channel configuration now allows specification of channel key
     (mode k) and maximum user count (mode l): variables "Key" and "MaxUsers".
@@ -237,4 +237,4 @@ ngIRCd 0.0.1, 31.12.2001
 
 
 -- 
-$Id: NEWS,v 1.75.2.6 2007/05/05 20:43:11 alex Exp $
+$Id: NEWS,v 1.75.2.7 2007/06/08 09:05:23 alex Exp $

config.guess

@@ -1,9 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
+#   Inc.
 
-timestamp='2006-02-23'
+timestamp='2007-03-06'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -160,6 +161,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	    arm*) machine=arm-unknown ;;
 	    sh3el) machine=shl-unknown ;;
 	    sh3eb) machine=sh-unknown ;;
+	    sh5el) machine=sh5le-unknown ;;
 	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
 	esac
 	# The Operating System including object format, if it has switched
@@ -210,7 +212,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE}
 	exit ;;
     macppc:MirBSD:*:*)
-	echo powerppc-unknown-mirbsd${UNAME_RELEASE}
+	echo powerpc-unknown-mirbsd${UNAME_RELEASE}
 	exit ;;
     *:MirBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
@@ -770,6 +772,8 @@ EOF
 	case ${UNAME_MACHINE} in
 	    pc98)
 		echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
+	    amd64)
+		echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
 	    *)
 		echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;;
 	esac
@@ -777,10 +781,7 @@ EOF
     i*:CYGWIN*:*)
 	echo ${UNAME_MACHINE}-pc-cygwin
 	exit ;;
-    i*:MINGW*:*)
-	echo ${UNAME_MACHINE}-pc-mingw32
-	exit ;;
-    i*:MSYS_NT-*:*:*)
+    *:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
 	exit ;;
     i*:windows32*:*)
@@ -790,12 +791,15 @@ EOF
     i*:PW*:*)
 	echo ${UNAME_MACHINE}-pc-pw32
 	exit ;;
-    x86:Interix*:[345]*)
-	echo i586-pc-interix${UNAME_RELEASE}
-	exit ;;
-    EM64T:Interix*:[345]*)
-	echo x86_64-unknown-interix${UNAME_RELEASE}
-	exit ;;
+    *:Interix*:[3456]*)
+    	case ${UNAME_MACHINE} in
+	    x86) 
+		echo i586-pc-interix${UNAME_RELEASE}
+		exit ;;
+	    EM64T | authenticamd)
+		echo x86_64-unknown-interix${UNAME_RELEASE}
+		exit ;;
+	esac ;;
     [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
 	echo i${UNAME_MACHINE}-pc-mks
 	exit ;;
@@ -831,6 +835,9 @@ EOF
     arm*:Linux:*:*)
 	echo ${UNAME_MACHINE}-unknown-linux-gnu
 	exit ;;
+    avr32*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit ;;
     cris:Linux:*:*)
 	echo cris-axis-linux-gnu
 	exit ;;
@@ -947,6 +954,9 @@ EOF
     x86_64:Linux:*:*)
 	echo x86_64-unknown-linux-gnu
 	exit ;;
+    xtensa:Linux:*:*)
+    	echo xtensa-unknown-linux-gnu
+	exit ;;
     i*86:Linux:*:*)
 	# The BFD linker knows what the default object file format is, so
 	# first see if it will tell us. cd to the root directory to prevent
@@ -989,7 +999,7 @@ EOF
 	LIBC=gnulibc1
 	# endif
 	#else
-	#if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__sun)
+	#if defined(__INTEL_COMPILER) || defined(__PGI) || defined(__SUNPRO_C) || defined(__SUNPRO_CC)
 	LIBC=gnu
 	#else
 	LIBC=gnuaout
@@ -1205,6 +1215,15 @@ EOF
     SX-6:SUPER-UX:*:*)
 	echo sx6-nec-superux${UNAME_RELEASE}
 	exit ;;
+    SX-7:SUPER-UX:*:*)
+	echo sx7-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-8:SUPER-UX:*:*)
+	echo sx8-nec-superux${UNAME_RELEASE}
+	exit ;;
+    SX-8R:SUPER-UX:*:*)
+	echo sx8r-nec-superux${UNAME_RELEASE}
+	exit ;;
     Power*:Rhapsody:*:*)
 	echo powerpc-apple-rhapsody${UNAME_RELEASE}
 	exit ;;

config.sub

@@ -1,9 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script.
 #   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
-#   2000, 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc.
+#   2000, 2001, 2002, 2003, 2004, 2005, 2006 Free Software Foundation,
+#   Inc.
 
-timestamp='2006-02-23'
+timestamp='2007-01-18'
 
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
@@ -240,15 +241,16 @@ case $basic_machine in
 	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
 	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
 	| am33_2.0 \
-	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \
 	| bfin \
 	| c4x | clipper \
 	| d10v | d30v | dlx | dsp16xx \
-	| fr30 | frv \
+	| fido | fr30 | frv \
 	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
 	| i370 | i860 | i960 | ia64 \
 	| ip2k | iq2000 \
-	| m32r | m32rle | m68000 | m68k | m88k | maxq | mb | microblaze | mcore \
+	| m32c | m32r | m32rle | m68000 | m68k | m88k \
+	| maxq | mb | microblaze | mcore | mep \
 	| mips | mipsbe | mipseb | mipsel | mipsle \
 	| mips16 \
 	| mips64 | mips64el \
@@ -274,21 +276,19 @@ case $basic_machine in
 	| pdp10 | pdp11 | pj | pjl \
 	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
 	| pyramid \
-	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+	| score \
+	| sh | sh[1234] | sh[24]a | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
 	| sh64 | sh64le \
-	| sparc | sparc64 | sparc64b | sparc86x | sparclet | sparclite \
-	| sparcv8 | sparcv9 | sparcv9b \
-	| strongarm \
+	| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
+	| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
+	| spu | strongarm \
 	| tahoe | thumb | tic4x | tic80 | tron \
 	| v850 | v850e \
 	| we32k \
-	| x86 | xscale | xscalee[bl] | xstormy16 | xtensa \
+	| x86 | xc16x | xscale | xscalee[bl] | xstormy16 | xtensa \
 	| z8k)
 		basic_machine=$basic_machine-unknown
 		;;
-	m32c)
-		basic_machine=$basic_machine-unknown
-		;;
 	m6811 | m68hc11 | m6812 | m68hc12)
 		# Motorola 68HC11/12.
 		basic_machine=$basic_machine-unknown
@@ -318,18 +318,18 @@ case $basic_machine in
 	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
 	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
 	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
-	| avr-* \
+	| avr-* | avr32-* \
 	| bfin-* | bs2000-* \
 	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
 	| clipper-* | craynv-* | cydra-* \
 	| d10v-* | d30v-* | dlx-* \
 	| elxsi-* \
-	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+	| f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \
 	| h8300-* | h8500-* \
 	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
 	| i*86-* | i860-* | i960-* | ia64-* \
 	| ip2k-* | iq2000-* \
-	| m32r-* | m32rle-* \
+	| m32c-* | m32r-* | m32rle-* \
 	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
 	| m88110-* | m88k-* | maxq-* | mcore-* \
 	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
@@ -358,23 +358,21 @@ case $basic_machine in
 	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
 	| pyramid-* \
 	| romp-* | rs6000-* \
-	| sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | shbe-* \
+	| sh-* | sh[1234]-* | sh[24]a-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
 	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
-	| sparc-* | sparc64-* | sparc64b-* | sparc86x-* | sparclet-* \
+	| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
 	| sparclite-* \
-	| sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+	| sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | strongarm-* | sv1-* | sx?-* \
 	| tahoe-* | thumb-* \
 	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
 	| tron-* \
 	| v850-* | v850e-* | vax-* \
 	| we32k-* \
-	| x86-* | x86_64-* | xps100-* | xscale-* | xscalee[bl]-* \
+	| x86-* | x86_64-* | xc16x-* | xps100-* | xscale-* | xscalee[bl]-* \
 	| xstormy16-* | xtensa-* \
 	| ymp-* \
 	| z8k-*)
 		;;
-	m32c-*)
-		;;
 	# Recognize the various machine names and aliases which stand
 	# for a CPU type and a company and sometimes even an OS.
 	386bsd)
@@ -912,6 +910,10 @@ case $basic_machine in
 	sb1el)
 		basic_machine=mipsisa64sb1el-unknown
 		;;
+	sde)
+		basic_machine=mipsisa32-sde
+		os=-elf
+		;;
 	sei)
 		basic_machine=mips-sei
 		os=-seiux
@@ -923,6 +925,9 @@ case $basic_machine in
 		basic_machine=sh-hitachi
 		os=-hms
 		;;
+	sh5el)
+		basic_machine=sh5le-unknown
+		;;
 	sh64)
 		basic_machine=sh64-unknown
 		;;
@@ -1128,7 +1133,7 @@ case $basic_machine in
 	sh[1234] | sh[24]a | sh[34]eb | sh[1234]le | sh[23]ele)
 		basic_machine=sh-unknown
 		;;
-	sparc | sparcv8 | sparcv9 | sparcv9b)
+	sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v)
 		basic_machine=sparc-sun
 		;;
 	cydra)
@@ -1217,7 +1222,7 @@ case $os in
 	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
 	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
 	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
-	      | -skyos* | -haiku* | -rdos*)
+	      | -skyos* | -haiku* | -rdos* | -toppers* | -drops*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
 	-qnx*)
@@ -1369,6 +1374,12 @@ else
 # system, and we'll never get to this point.
 
 case $basic_machine in
+        score-*)
+		os=-elf
+		;;
+        spu-*)
+		os=-elf
+		;;
 	*-acorn)
 		os=-riscix1.2
 		;;
@@ -1378,9 +1389,9 @@ case $basic_machine in
 	arm*-semi)
 		os=-aout
 		;;
-    c4x-* | tic4x-*)
-        os=-coff
-        ;;
+        c4x-* | tic4x-*)
+        	os=-coff
+		;;
 	# This must come before the *-dec entry.
 	pdp10-*)
 		os=-tops20
@@ -1406,6 +1417,9 @@ case $basic_machine in
 	m68*-cisco)
 		os=-aout
 		;;
+        mep-*)
+		os=-elf
+		;;
 	mips*-cisco)
 		os=-elf
 		;;

configure.in

@@ -1,6 +1,6 @@
 #
 # ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2007 Alexander Barton <alex@barton.de>
+# Copyright (c)2001-2008 Alexander Barton <alex@barton.de>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -8,13 +8,13 @@
 # (at your option) any later version.
 # Please read the file COPYING, README and AUTHORS for more information.
 #
-# $Id: configure.in,v 1.118.2.10 2007/05/05 20:43:11 alex Exp $
+# $Id: configure.in,v 1.118.2.14 2008/01/07 20:57:39 alex Exp $
 #
 
 # -- Initialisation --
 
 AC_PREREQ(2.50)
-AC_INIT(ngircd, 0.10.2-pre1)
+AC_INIT(ngircd, 0.10.4)
 AC_CONFIG_SRCDIR(src/ngircd/ngircd.c)
 AC_CANONICAL_TARGET
 AM_INIT_AUTOMAKE(1.6)

contrib/Debian/changelog

@@ -1,3 +1,21 @@
+ngircd (0.10.4-0ab1) unstable; urgency=high
+
+  * New "upstream" release: 0.10.4 - fixing a security bug.
+
+ -- Alexander Barton <alex@barton.de>  Mon,  7 Jan 2008 22:04:44 +0100
+
+ngircd (0.10.3-0ab1) unstable; urgency=high
+
+  * New "upstream" release: 0.10.3 - fixing a security bug.
+
+ -- Alexander Barton <alex@barton.de>  Tue, 31 Jul 2007 21:02:52 +0200
+
+ngircd (0.10.2-0ab1) unstable; urgency=low
+
+  * New "upstream" release: 0.10.2
+
+ -- Alexander Barton <alex@barton.de>  Fri,  8 Jun 2007 10:49:36 +0200
+
 ngircd (0.10.1-0ab1) unstable; urgency=low
 
   * New "upstream" release: 0.10.1

contrib/ngircd.spec

@@ -1,5 +1,5 @@
 %define name    ngircd
-%define version 0.10.1
+%define version 0.10.4
 %define release 1
 %define prefix  %{_prefix}
 

src/ngircd/channel.c

@@ -17,7 +17,7 @@
 
 #include "portab.h"
 
-static char UNUSED id[] = "$Id: channel.c,v 1.56.2.3 2007/04/03 22:08:52 fw Exp $";
+static char UNUSED id[] = "$Id: channel.c,v 1.56.2.4 2007/07/31 20:48:15 alex Exp $";
 
 #include "imp.h"
 #include <assert.h>
@@ -602,7 +602,7 @@ Channel_IsMemberOf( CHANNEL *Chan, CLIENT *Client )
 
 	assert( Chan != NULL );
 	assert( Client != NULL );
-	return Get_Cl2Chan(Chan, Client);
+	return Get_Cl2Chan(Chan, Client) != NULL;
 } /* Channel_IsMemberOf */
 
 

src/ngircd/conn-zip.c

@@ -1,6 +1,6 @@
 /*
  * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2006 Alexander Barton (alex@barton.de)
+ * Copyright (c)2001-2007 Alexander Barton (alex@barton.de)
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -22,7 +22,7 @@
 /* enable more zlib related debug messages: */
 /* #define DEBUG_ZLIB */
 
-static char UNUSED id[] = "$Id: conn-zip.c,v 1.11 2006/07/23 15:19:20 alex Exp $";
+static char UNUSED id[] = "$Id: conn-zip.c,v 1.11.2.1 2007/05/18 22:11:19 alex Exp $";
 
 #include "imp.h"
 #include <assert.h>
@@ -82,47 +82,63 @@ Zip_InitConn( CONN_ID Idx )
 } /* Zip_InitConn */
 
 
+/**
+ * Copy data to the compression buffer of a connection. We do collect
+ * some data there until it's full so that we can achieve better
+ * compression ratios.
+ * If the (pre-)compression buffer is full, we try to flush it ("actually
+ * compress some data") and to add the new (uncompressed) data afterwards.
+ * @param Idx Connection handle.
+ * @param Data Pointer to the data.
+ * @param Len Length of the data to add.
+ * @return true on success, false otherwise. */
 GLOBAL bool
 Zip_Buffer( CONN_ID Idx, char *Data, size_t Len )
 {
-	/* Daten zum Komprimieren im "Kompressions-Puffer" sammeln.
-	* Es wird true bei Erfolg, sonst false geliefert. */
+	size_t buflen;
 
 	assert( Idx > NONE );
 	assert( Data != NULL );
 	assert( Len > 0 );
-	assert( Len <= ZWRITEBUFFER_LEN );
 
-	if (Len > ZWRITEBUFFER_LEN)
-		return false;
-
-	if ( array_bytes( &My_Connections[Idx].zip.wbuf ) >= ZWRITEBUFFER_LEN ) {
+	buflen = array_bytes(&My_Connections[Idx].zip.wbuf);
+	if (buflen + Len >= WRITEBUFFER_SLINK_LEN) {
 		/* compression buffer is full, flush */
 		if( ! Zip_Flush( Idx )) return false;
 	}
 
+	/* check again; if zip buf is still too large do not append data:
+	 * otherwise the zip wbuf would grow too large */
+	buflen = array_bytes(&My_Connections[Idx].zip.wbuf);
+	if (buflen + Len >= WRITEBUFFER_SLINK_LEN)
+		return false;
+
 	return array_catb(&My_Connections[Idx].zip.wbuf, Data, Len);
 } /* Zip_Buffer */
 
 
+/**
+ * Compress data in ZIP buffer and move result to the write buffer of
+ * the connection.
+ * @param Idx Connection handle.
+ * @retrun true on success, false otherwise.
+ */
 GLOBAL bool
 Zip_Flush( CONN_ID Idx )
 {
-	/* Daten komprimieren und in Schreibpuffer kopieren.
-	* Es wird true bei Erfolg, sonst false geliefert. */
-
 	int result;
-	unsigned char zipbuf[WRITEBUFFER_LEN];
+	unsigned char zipbuf[WRITEBUFFER_SLINK_LEN];
 	int zipbuf_used = 0;
 	z_stream *out;
 
 	out = &My_Connections[Idx].zip.out;
 
-	out->next_in = array_start(&My_Connections[Idx].zip.wbuf);
-	if (!out->next_in)
-		return false;
-
 	out->avail_in = (uInt)array_bytes(&My_Connections[Idx].zip.wbuf);
+	if (!out->avail_in)
+		return true;	/* nothing to do. */
+
+	out->next_in = array_start(&My_Connections[Idx].zip.wbuf);
+	assert(out->next_in != NULL);
 
 	out->next_out = zipbuf;
 	out->avail_out = (uInt)sizeof zipbuf;
@@ -139,14 +155,26 @@ Zip_Flush( CONN_ID Idx )
 		return false;
 	}
 
-	assert(out->avail_out <= WRITEBUFFER_LEN);
-	zipbuf_used = WRITEBUFFER_LEN - out->avail_out;
+	if (out->avail_out <= 0) {
+		/* Not all data was compressed, because data became
+		 * bigger while compressing it. */
+		Log (LOG_ALERT, "Compression error: buffer overvlow!?");
+		Conn_Close(Idx, "Compression error!", NULL, false);
+		return false;
+	}
+
+	assert(out->avail_out <= WRITEBUFFER_SLINK_LEN);
+
+	zipbuf_used = WRITEBUFFER_SLINK_LEN - out->avail_out;
 #ifdef DEBUG_ZIP
 	Log(LOG_DEBUG, "zipbuf_used: %d", zipbuf_used);
 #endif
 	if (!array_catb(&My_Connections[Idx].wbuf,
-			(char *)zipbuf, (size_t) zipbuf_used))
+			(char *)zipbuf, (size_t) zipbuf_used)) {
+		Log (LOG_ALERT, "Compression error: can't copy data!?");
+		Conn_Close(Idx, "Compression error!", NULL, false);
 		return false;
+	}
 
 	My_Connections[Idx].bytes_out += zipbuf_used;
 	My_Connections[Idx].zip.bytes_out += array_bytes(&My_Connections[Idx].zip.wbuf); 
@@ -178,10 +206,9 @@ Unzip_Buffer( CONN_ID Idx )
 		return true;
 
 	in = &My_Connections[Idx].zip.in;
-	
+
 	in->next_in = array_start(&My_Connections[Idx].zip.rbuf);
-	if (!in->next_in)
-		return false;
+	assert(in->next_in != NULL);
 
 	in->avail_in = z_rdatalen;
 	in->next_out = unzipbuf;

src/ngircd/conn.c

@@ -1,6 +1,6 @@
 /*
  * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2005 Alexander Barton <alex@barton.de>
+ * Copyright (c)2001-2007 Alexander Barton (alex@barton.de)
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -17,7 +17,7 @@
 #include "portab.h"
 #include "io.h"
 
-static char UNUSED id[] = "$Id: conn.c,v 1.198.2.4 2007/05/02 12:22:44 fw Exp $";
+static char UNUSED id[] = "$Id: conn.c,v 1.198.2.6 2007/05/18 22:11:19 alex Exp $";
 
 #include "imp.h"
 #include <assert.h>
@@ -83,6 +83,7 @@ static char UNUSED id[] = "$Id: conn.c,v 1.198.2.4 2007/05/02 12:22:44 fw Exp $"
 
 
 static bool Handle_Write PARAMS(( CONN_ID Idx ));
+static bool Conn_Write PARAMS(( CONN_ID Idx, char *Data, size_t Len ));
 static int New_Connection PARAMS(( int Sock ));
 static CONN_ID Socket2Index PARAMS(( int Sock ));
 static void Read_Request PARAMS(( CONN_ID Idx ));
@@ -607,51 +608,74 @@ va_dcl
 } /* Conn_WriteStr */
 
 
-GLOBAL bool
+/**
+ * Append Data to the outbound write buffer of a connection.
+ * @param Idx Index of the connection.
+ * @param Data pointer to the data.
+ * @param Len length of Data.
+ * @return true on success, false otherwise.
+ */
+static bool
 Conn_Write( CONN_ID Idx, char *Data, size_t Len )
 {
-	/* Daten in Socket schreiben. Bei "fatalen" Fehlern wird
-	 * der Client disconnectiert und false geliefert. */
-
+	CLIENT *c;
+	size_t writebuf_limit = WRITEBUFFER_LEN;
 	assert( Idx > NONE );
 	assert( Data != NULL );
 	assert( Len > 0 );
 
-	/* Ist der entsprechende Socket ueberhaupt noch offen? In einem
-	 * "Handler-Durchlauf" kann es passieren, dass dem nicht mehr so
-	 * ist, wenn einer von mehreren Conn_Write()'s fehlgeschlagen ist.
-	 * In diesem Fall wird hier einfach ein Fehler geliefert. */
+	c = Conn_GetClient(Idx);
+	assert( c != NULL);
+
+	/* Servers do get special write buffer limits, so they can generate
+	 * all the messages that are required while peering. */
+	if (Client_Type(c) == CLIENT_SERVER)
+		writebuf_limit = WRITEBUFFER_SLINK_LEN;
+
+	/* Is the socket still open? A previous call to Conn_Write()
+	 * may have closed the connection due to a fatal error.
+	 * In this case it is sufficient to return an error, as well. */
 	if( My_Connections[Idx].sock <= NONE ) {
-		LogDebug("Skipped write on closed socket (connection %d).", Idx );
+		LogDebug("Skipped write on closed socket (connection %d).", Idx);
 		return false;
 	}
 
-	/* Pruefen, ob im Schreibpuffer genuegend Platz ist. Ziel ist es,
-	 * moeglichts viel im Puffer zu haben und _nicht_ gleich alles auf den
-	 * Socket zu schreiben (u.a. wg. Komprimierung). */
-	if( array_bytes(&My_Connections[Idx].wbuf) >= WRITEBUFFER_LEN) {
-		/* Der Puffer ist dummerweise voll. Jetzt versuchen, den Puffer
-		 * zu schreiben, wenn das nicht klappt, haben wir ein Problem ... */
-		if( ! Handle_Write( Idx )) return false;
-
-		/* check again: if our writebuf is twice als large as the initial limit: Kill connection */
-		if( array_bytes(&My_Connections[Idx].wbuf) >= (WRITEBUFFER_LEN*2)) {
-			Log( LOG_NOTICE, "Write buffer overflow (connection %d)!", Idx );
-			Conn_Close( Idx, "Write buffer overflow!", NULL, false );
-			return false;
-		}
-	}
-
 #ifdef ZLIB
 	if ( Conn_OPTION_ISSET( &My_Connections[Idx], CONN_ZIP )) {
-		/* Daten komprimieren und in Puffer kopieren */
-		if( ! Zip_Buffer( Idx, Data, Len )) return false;
+		/* Compressed link:
+		 * Zip_Buffer() does all the dirty work for us: it flushes
+		 * the (pre-)compression buffers if required and handles
+		 * all error conditions. */
+		if (!Zip_Buffer(Idx, Data, Len))
+			return false;
 	}
 	else
 #endif
 	{
-		/* Daten in Puffer kopieren */
-		if (!array_catb( &My_Connections[Idx].wbuf, Data, Len ))
+		/* Uncompressed link:
+		 * Check if outbound buffer has enough space for the data. */
+		if (array_bytes(&My_Connections[Idx].wbuf) + Len >=
+		    writebuf_limit) {
+			/* Buffer is full, flush it. Handle_Write deals with
+			 * low-level errors, if any. */
+			if (!Handle_Write(Idx))
+				return false;
+		}
+
+		/* When the write buffer is still too big after flushing it,
+		 * the connection will be killed. */
+		if (array_bytes(&My_Connections[Idx].wbuf) + Len >=
+		    writebuf_limit) {
+			Log(LOG_NOTICE,
+			    "Write buffer overflow (connection %d, size %lu byte)!",
+			    Idx,
+			    (unsigned long)array_bytes(&My_Connections[Idx].wbuf));
+			Conn_Close(Idx, "Write buffer overflow!", NULL, false);
+			return false;
+		}
+
+		/* Copy data to write buffer */
+		if (!array_catb(&My_Connections[Idx].wbuf, Data, Len))
 			return false;
 
 		My_Connections[Idx].bytes_out += Len;
@@ -692,7 +716,7 @@ Conn_Close( CONN_ID Idx, char *LogMsg, char *FwdMsg, bool InformClient )
 
 	/* Mark link as "closing" */
 	Conn_OPTION_ADD( &My_Connections[Idx], CONN_ISCLOSING );
-		
+
 	if (LogMsg)
 		txt = LogMsg;
 	else
@@ -720,7 +744,6 @@ Conn_Close( CONN_ID Idx, char *LogMsg, char *FwdMsg, bool InformClient )
 			 (double)My_Connections[Idx].bytes_out / 1024);
 		}
 #endif
-
 		/* Send ERROR to client (see RFC!) */
 		if (FwdMsg)
 			Conn_WriteStr(Idx, "ERROR :%s", FwdMsg);
@@ -864,24 +887,23 @@ Handle_Write( CONN_ID Idx )
 	wdatalen = array_bytes(&My_Connections[Idx].wbuf );
 
 #ifdef ZLIB
-	if (wdatalen == 0 && !array_bytes(&My_Connections[Idx].zip.wbuf)) {
-		io_event_del(My_Connections[Idx].sock, IO_WANTWRITE );
-		return true;
-	}
-
-	/* write buffer empty, but not compression buffer?
-         * -> flush compression buffer! */
-	if (wdatalen == 0)
-		Zip_Flush(Idx);
-#else
 	if (wdatalen == 0) {
-		io_event_del(My_Connections[Idx].sock, IO_WANTWRITE );
-		return true;
+		/* Write buffer is empty, so we try to flush the compression
+		 * buffer and get some data to work with from there :-) */
+		if (!Zip_Flush(Idx))
+			return false;
+
+		/* Now the write buffer most probably has changed: */
+		wdatalen = array_bytes(&My_Connections[Idx].wbuf);
 	}
 #endif
 
-	/* Zip_Flush() may have changed the write buffer ... */
-	wdatalen = array_bytes(&My_Connections[Idx].wbuf);
+	if (wdatalen == 0) {
+		/* Still no data, fine. */
+		io_event_del(My_Connections[Idx].sock, IO_WANTWRITE );
+		return true;
+	}
+
 	LogDebug
 	    ("Handle_Write() called for connection %d, %ld bytes pending ...",
 	     Idx, wdatalen);
@@ -1043,47 +1065,52 @@ Socket2Index( int Sock )
 } /* Socket2Index */
 
 
+/**
+ * Read data from the network to the read buffer. If an error occures,
+ * the socket of this connection will be shut down.
+ */
 static void
 Read_Request( CONN_ID Idx )
 {
-	/* Daten von Socket einlesen und entsprechend behandeln.
-	 * Tritt ein Fehler auf, so wird der Socket geschlossen. */
-
 	ssize_t len;
-	char readbuf[1024];
+	char readbuf[READBUFFER_LEN];
 	CLIENT *c;
-
 	assert( Idx > NONE );
 	assert( My_Connections[Idx].sock > NONE );
 
 #ifdef ZLIB
-	if (( array_bytes(&My_Connections[Idx].rbuf) >= READBUFFER_LEN ) ||
-		( array_bytes(&My_Connections[Idx].zip.rbuf) >= ZREADBUFFER_LEN ))
+	if ((array_bytes(&My_Connections[Idx].rbuf) >= READBUFFER_LEN) ||
+		(array_bytes(&My_Connections[Idx].zip.rbuf) >= READBUFFER_LEN))
 #else
-	if ( array_bytes(&My_Connections[Idx].rbuf) >= READBUFFER_LEN )
+	if (array_bytes(&My_Connections[Idx].rbuf) >= READBUFFER_LEN)
 #endif
 	{
-		/* Der Lesepuffer ist voll */
-		Log( LOG_ERR, "Receive buffer overflow (connection %d): %d bytes!", Idx,
-						array_bytes(&My_Connections[Idx].rbuf));
+		/* Read buffer is full */
+		Log(LOG_ERR,
+		    "Receive buffer overflow (connection %d): %d bytes!",
+		    Idx, array_bytes(&My_Connections[Idx].rbuf));
 		Conn_Close( Idx, "Receive buffer overflow!", NULL, false );
 		return;
 	}
 
-	len = read( My_Connections[Idx].sock, readbuf, sizeof readbuf -1 );
-	if( len == 0 ) {
-		Log( LOG_INFO, "%s:%d (%s) is closing the connection ...",
-			My_Connections[Idx].host, ntohs( My_Connections[Idx].addr.sin_port),
-					inet_ntoa( My_Connections[Idx].addr.sin_addr ));
-		Conn_Close( Idx, "Socket closed!", "Client closed connection", false );
+	len = read(My_Connections[Idx].sock, readbuf, sizeof(readbuf));
+	if (len == 0) {
+		Log(LOG_INFO, "%s:%d (%s) is closing the connection ...",
+		    My_Connections[Idx].host,
+		    ntohs(My_Connections[Idx].addr.sin_port),
+		    inet_ntoa( My_Connections[Idx].addr.sin_addr));
+		Conn_Close(Idx,
+			   "Socket closed!", "Client closed connection",
+			   false);
 		return;
 	}
 
-	if( len < 0 ) {
+	if (len < 0) {
 		if( errno == EAGAIN ) return;
-		Log( LOG_ERR, "Read error on connection %d (socket %d): %s!", Idx,
-					My_Connections[Idx].sock, strerror( errno ));
-		Conn_Close( Idx, "Read error!", "Client closed connection", false );
+		Log(LOG_ERR, "Read error on connection %d (socket %d): %s!",
+		    Idx, My_Connections[Idx].sock, strerror(errno));
+		Conn_Close(Idx, "Read error!", "Client closed connection",
+			   false);
 		return;
 	}
 #ifdef ZLIB
@@ -1219,11 +1246,6 @@ Handle_Buffer( CONN_ID Idx )
 			/* The last Command activated Socket-Compression.
 			 * Data that was read after that needs to be copied to Unzip-buf
 			 * for decompression */
-			if( array_bytes(&My_Connections[Idx].rbuf)> ZREADBUFFER_LEN ) {
-				Log( LOG_ALERT, "Connection %d: No space left in unzip buf (need %u bytes)!",
-								Idx, array_bytes(&My_Connections[Idx].rbuf ));
-				return false;
-			}
 			if (!array_copy( &My_Connections[Idx].zip.rbuf, &My_Connections[Idx].rbuf ))
 				return false;
 
@@ -1631,9 +1653,9 @@ Conn_GetClient( CONN_ID Idx )
 	assert( Idx >= 0 );
 
 	c = array_get(&My_ConnArray, sizeof (CONNECTION), (size_t)Idx);
-	
+
 	assert(c != NULL);
-	
+
 	return c ? c->client : NULL;
 }
 

src/ngircd/conn.h

@@ -8,7 +8,7 @@
  * (at your option) any later version.
  * Please read the file COPYING, README and AUTHORS for more information.
  *
- * $Id: conn.h,v 1.42 2006/05/10 21:24:01 alex Exp $
+ * $Id: conn.h,v 1.42.2.1 2007/05/09 13:21:38 fw Exp $
  *
  * Connection management (header)
  */
@@ -88,7 +88,6 @@ GLOBAL void Conn_ExitListeners PARAMS(( void ));
 
 GLOBAL void Conn_Handler PARAMS(( void ));
 
-GLOBAL bool Conn_Write PARAMS(( CONN_ID Idx, char *Data, size_t Len ));
 GLOBAL bool Conn_WriteStr PARAMS(( CONN_ID Idx, char *Format, ... ));
 
 GLOBAL void Conn_Close PARAMS(( CONN_ID Idx, char *LogMsg, char *FwdMsg, bool InformClient ));

src/ngircd/defines.h

@@ -1,6 +1,6 @@
 /*
  * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2005 Alexander Barton (alex@barton.de)
+ * Copyright (c)2001-2007 Alexander Barton (alex@barton.de)
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -8,7 +8,7 @@
  * (at your option) any later version.
  * Please read the file COPYING, README and AUTHORS for more information.
  *
- * $Id: defines.h,v 1.58 2006/06/15 20:28:15 alex Exp $
+ * $Id: defines.h,v 1.58.2.1 2007/05/18 22:11:19 alex Exp $
  */
 
 
@@ -70,13 +70,8 @@
 					   connection in bytes. */
 #define WRITEBUFFER_LEN 4096		/* Size of the write buffer of a
 					   connection in bytes. */
-
-#ifdef ZLIB
-#define ZREADBUFFER_LEN 1024		/* Size of the compressed read buffer
-					   of a connection in bytes. */
-#define ZWRITEBUFFER_LEN 4096		/* Size of the compressed write buffer
-					   of a connection in bytes. */
-#endif
+#define WRITEBUFFER_SLINK_LEN 51200	/* Size of the write buffer of a
+					   server link connection in bytes. */
 
 #define PROTOVER "0210"			/* Implemented IRC protocol version,
 					   see RFC 2813 section 4.1.1. */

src/ngircd/irc-channel.c

@@ -14,7 +14,7 @@
 
 #include "portab.h"
 
-static char UNUSED id[] = "$Id: irc-channel.c,v 1.35.2.3 2007/04/03 20:23:31 fw Exp $";
+static char UNUSED id[] = "$Id: irc-channel.c,v 1.35.2.5 2008/01/07 11:41:44 fw Exp $";
 
 #include "imp.h"
 #include <assert.h>
@@ -52,7 +52,9 @@ IRC_JOIN( CLIENT *Client, REQUEST *Req )
 	assert( Req != NULL );
 
 	/* Bad number of arguments? */
-	if(( Req->argc > 2 )) return IRC_WriteStrClient( Client, ERR_NEEDMOREPARAMS_MSG, Client_ID( Client ), Req->command );
+	if (Req->argc < 1 || Req->argc > 2)
+		return IRC_WriteStrClient(Client, ERR_NEEDMOREPARAMS_MSG,
+					  Client_ID(Client), Req->command);
 
 	/* Who is the sender? */
 	if( Client_Type( Client ) == CLIENT_SERVER ) target = Client_Search( Req->prefix );
@@ -268,7 +270,9 @@ IRC_PART( CLIENT *Client, REQUEST *Req )
 	assert( Req != NULL );
 
 	/* Falsche Anzahl Parameter? */
-	if(( Req->argc > 2 )) return IRC_WriteStrClient( Client, ERR_NEEDMOREPARAMS_MSG, Client_ID( Client ), Req->command );
+	if (Req->argc < 1 || Req->argc > 2)
+		return IRC_WriteStrClient(Client, ERR_NEEDMOREPARAMS_MSG,
+					Client_ID(Client), Req->command);
 
 	/* Wer ist der Absender? */
 	if( Client_Type( Client ) == CLIENT_SERVER ) target = Client_Search( Req->prefix );

src/ngircd/parse.c

@@ -12,7 +12,7 @@
 
 #include "portab.h"
 
-static char UNUSED id[] = "$Id: parse.c,v 1.67 2006/04/23 10:37:27 fw Exp $";
+static char UNUSED id[] = "$Id: parse.c,v 1.67.2.1 2008/02/05 13:15:05 fw Exp $";
 
 /**
  * @file
@@ -348,7 +348,7 @@ Handle_Request( CONN_ID Idx, REQUEST *Req )
 	char str[LINE_LEN];
 	bool result;
 	COMMAND *cmd;
-	int i;
+	int i, client_type;
 
 	assert( Idx >= 0 );
 	assert( Req != NULL );
@@ -406,6 +406,7 @@ Handle_Request( CONN_ID Idx, REQUEST *Req )
 	}
 
 	cmd = My_Commands;
+	client_type = Client_Type( client );
 	while( cmd->name )
 	{
 		/* Befehl suchen */
@@ -414,7 +415,7 @@ Handle_Request( CONN_ID Idx, REQUEST *Req )
 			cmd++; continue;
 		}
 
-		if( Client_Type( client ) & cmd->type )
+		if( client_type & cmd->type )
 		{
 			/* Command is allowed for this client: call it and count produced bytes */
 			Conn_ResetWCounter( );
@@ -422,7 +423,7 @@ Handle_Request( CONN_ID Idx, REQUEST *Req )
 			cmd->bytes += Conn_WCounter( );
 
 			/* Adjust counters */
-			if( Client_Type( client ) != CLIENT_SERVER ) cmd->lcount++;
+			if( client_type != CLIENT_SERVER ) cmd->lcount++;
 			else cmd->rcount++;
 
 			return result;