[Parser]: Don't use Client_Type after command has been processed.

This caused a read from already free'd memory, if the processed
command (IRC_QUIT) calls Client_Destroy. (from HEAD)

ChangeLog

@@ -1,7 +1,7 @@
 
                      ngIRCd - Next Generation IRC Server
 
-                        (c)2001-2007 Alexander Barton,
+                        (c)2001-2008 Alexander Barton,
                     alex@barton.de, http://www.barton.de/
 
                ngIRCd is free software and published under the
@@ -9,6 +9,15 @@
 
                                -- ChangeLog --
 
+ngIRCd 0.10.4 (2008-01-07)
+
+  - SECURITY: IRC_PART could reference invalid memory, causing
+    ngircd to crash.
+
+ngIRCd 0.10.3 (2007-07-31)
+
+  - SECURITY: Fixed a severe bug in handling JOIN commands, which could
+    cause the server to crash. Thanks to Sebastian Vesper, <net@veoson.net>.
 
 ngIRCd 0.10.2 (2007-06-08)
 
@@ -689,4 +698,4 @@ ngIRCd 0.0.1, 31.12.2001
 
 
 -- 
-$Id: ChangeLog,v 1.302.2.17 2007/06/08 09:05:23 alex Exp $
+$Id: ChangeLog,v 1.302.2.21 2008/01/07 20:57:39 alex Exp $

configure.in

@@ -1,6 +1,6 @@
 #
 # ngIRCd -- The Next Generation IRC Daemon
-# Copyright (c)2001-2007 Alexander Barton <alex@barton.de>
+# Copyright (c)2001-2008 Alexander Barton <alex@barton.de>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -8,13 +8,13 @@
 # (at your option) any later version.
 # Please read the file COPYING, README and AUTHORS for more information.
 #
-# $Id: configure.in,v 1.118.2.12 2007/06/08 09:05:23 alex Exp $
+# $Id: configure.in,v 1.118.2.14 2008/01/07 20:57:39 alex Exp $
 #
 
 # -- Initialisation --
 
 AC_PREREQ(2.50)
-AC_INIT(ngircd, 0.10.2)
+AC_INIT(ngircd, 0.10.4)
 AC_CONFIG_SRCDIR(src/ngircd/ngircd.c)
 AC_CANONICAL_TARGET
 AM_INIT_AUTOMAKE(1.6)

contrib/Debian/changelog

@@ -1,3 +1,15 @@
+ngircd (0.10.4-0ab1) unstable; urgency=high
+
+  * New "upstream" release: 0.10.4 - fixing a security bug.
+
+ -- Alexander Barton <alex@barton.de>  Mon,  7 Jan 2008 22:04:44 +0100
+
+ngircd (0.10.3-0ab1) unstable; urgency=high
+
+  * New "upstream" release: 0.10.3 - fixing a security bug.
+
+ -- Alexander Barton <alex@barton.de>  Tue, 31 Jul 2007 21:02:52 +0200
+
 ngircd (0.10.2-0ab1) unstable; urgency=low
 
   * New "upstream" release: 0.10.2

contrib/ngircd.spec

@@ -1,5 +1,5 @@
 %define name    ngircd
-%define version 0.10.2
+%define version 0.10.4
 %define release 1
 %define prefix  %{_prefix}
 

src/ngircd/channel.c

@@ -17,7 +17,7 @@
 
 #include "portab.h"
 
-static char UNUSED id[] = "$Id: channel.c,v 1.56.2.3 2007/04/03 22:08:52 fw Exp $";
+static char UNUSED id[] = "$Id: channel.c,v 1.56.2.4 2007/07/31 20:48:15 alex Exp $";
 
 #include "imp.h"
 #include <assert.h>
@@ -602,7 +602,7 @@ Channel_IsMemberOf( CHANNEL *Chan, CLIENT *Client )
 
 	assert( Chan != NULL );
 	assert( Client != NULL );
-	return Get_Cl2Chan(Chan, Client);
+	return Get_Cl2Chan(Chan, Client) != NULL;
 } /* Channel_IsMemberOf */
 
 

src/ngircd/irc-channel.c

@@ -14,7 +14,7 @@
 
 #include "portab.h"
 
-static char UNUSED id[] = "$Id: irc-channel.c,v 1.35.2.3 2007/04/03 20:23:31 fw Exp $";
+static char UNUSED id[] = "$Id: irc-channel.c,v 1.35.2.5 2008/01/07 11:41:44 fw Exp $";
 
 #include "imp.h"
 #include <assert.h>
@@ -52,7 +52,9 @@ IRC_JOIN( CLIENT *Client, REQUEST *Req )
 	assert( Req != NULL );
 
 	/* Bad number of arguments? */
-	if(( Req->argc > 2 )) return IRC_WriteStrClient( Client, ERR_NEEDMOREPARAMS_MSG, Client_ID( Client ), Req->command );
+	if (Req->argc < 1 || Req->argc > 2)
+		return IRC_WriteStrClient(Client, ERR_NEEDMOREPARAMS_MSG,
+					  Client_ID(Client), Req->command);
 
 	/* Who is the sender? */
 	if( Client_Type( Client ) == CLIENT_SERVER ) target = Client_Search( Req->prefix );
@@ -268,7 +270,9 @@ IRC_PART( CLIENT *Client, REQUEST *Req )
 	assert( Req != NULL );
 
 	/* Falsche Anzahl Parameter? */
-	if(( Req->argc > 2 )) return IRC_WriteStrClient( Client, ERR_NEEDMOREPARAMS_MSG, Client_ID( Client ), Req->command );
+	if (Req->argc < 1 || Req->argc > 2)
+		return IRC_WriteStrClient(Client, ERR_NEEDMOREPARAMS_MSG,
+					Client_ID(Client), Req->command);
 
 	/* Wer ist der Absender? */
 	if( Client_Type( Client ) == CLIENT_SERVER ) target = Client_Search( Req->prefix );

src/ngircd/parse.c

@@ -12,7 +12,7 @@
 
 #include "portab.h"
 
-static char UNUSED id[] = "$Id: parse.c,v 1.67 2006/04/23 10:37:27 fw Exp $";
+static char UNUSED id[] = "$Id: parse.c,v 1.67.2.1 2008/02/05 13:15:05 fw Exp $";
 
 /**
  * @file
@@ -348,7 +348,7 @@ Handle_Request( CONN_ID Idx, REQUEST *Req )
 	char str[LINE_LEN];
 	bool result;
 	COMMAND *cmd;
-	int i;
+	int i, client_type;
 
 	assert( Idx >= 0 );
 	assert( Req != NULL );
@@ -406,6 +406,7 @@ Handle_Request( CONN_ID Idx, REQUEST *Req )
 	}
 
 	cmd = My_Commands;
+	client_type = Client_Type( client );
 	while( cmd->name )
 	{
 		/* Befehl suchen */
@@ -414,7 +415,7 @@ Handle_Request( CONN_ID Idx, REQUEST *Req )
 			cmd++; continue;
 		}
 
-		if( Client_Type( client ) & cmd->type )
+		if( client_type & cmd->type )
 		{
 			/* Command is allowed for this client: call it and count produced bytes */
 			Conn_ResetWCounter( );
@@ -422,7 +423,7 @@ Handle_Request( CONN_ID Idx, REQUEST *Req )
 			cmd->bytes += Conn_WCounter( );
 
 			/* Adjust counters */
-			if( Client_Type( client ) != CLIENT_SERVER ) cmd->lcount++;
+			if( client_type != CLIENT_SERVER ) cmd->lcount++;
 			else cmd->rcount++;
 
 			return result;