Close the "IRC DCC" security breach reported recently on Bugtraq.

Submitted by: Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
svn path=/head/; revision=82050
2024-12-11 09:50:12 +00:00 · 2001-08-21 11:21:08 +00:00 · 2001-08-21 11:21:08 +00:00 · 04c3e33949 · 2020-12-20 02:59:44 +00:00
commit 04c3e33949
parent ebdcbc6744
2 changed files with 12 additions and 0 deletions
--- a/lib/libalias/alias_irc.c
+++ b/lib/libalias/alias_irc.c
@ -236,6 +236,12 @@ AliasHandleIrcOut(struct ip *pip, /* IP packet to examine */
 			 true_addr.s_addr = htonl(org_addr);
 			 destaddr.s_addr = 0;

+			 /* Sanity/Security checking */
+			 if (!org_addr || !org_port ||
+			     pip->ip_src.s_addr != true_addr.s_addr ||
+			     org_port < IPPORT_RESERVED)
+				 goto lBAD_CTCP;
+
 			 /* Steal the FTP_DATA_PORT - it doesn't really matter, and this
 				 would probably allow it through at least _some_
 				 firewalls. */
--- a/sys/netinet/libalias/alias_irc.c
+++ b/sys/netinet/libalias/alias_irc.c
@ -236,6 +236,12 @@ AliasHandleIrcOut(struct ip *pip, /* IP packet to examine */
 			 true_addr.s_addr = htonl(org_addr);
 			 destaddr.s_addr = 0;

+			 /* Sanity/Security checking */
+			 if (!org_addr || !org_port ||
+			     pip->ip_src.s_addr != true_addr.s_addr ||
+			     org_port < IPPORT_RESERVED)
+				 goto lBAD_CTCP;
+
 			 /* Steal the FTP_DATA_PORT - it doesn't really matter, and this
 				 would probably allow it through at least _some_
 				 firewalls. */