From 04c3e339499c64078cc2c8f27c60996bf6fb0b3b Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@FreeBSD.org>
Date: Tue, 21 Aug 2001 11:21:08 +0000
Subject: [PATCH] Close the "IRC DCC" security breach reported recently on
 Bugtraq.

Submitted by:	Makoto MATSUSHITA <matusita@jp.FreeBSD.org>
---
 lib/libalias/alias_irc.c         | 6 ++++++
 sys/netinet/libalias/alias_irc.c | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/lib/libalias/alias_irc.c b/lib/libalias/alias_irc.c
index 6a8ebe2bbe98..ec5aa8a7d3a5 100644
--- a/lib/libalias/alias_irc.c
+++ b/lib/libalias/alias_irc.c
@@ -236,6 +236,12 @@ AliasHandleIrcOut(struct ip *pip, /* IP packet to examine */
 			 true_addr.s_addr = htonl(org_addr);
 			 destaddr.s_addr = 0;
 
+			 /* Sanity/Security checking */
+			 if (!org_addr || !org_port ||
+			     pip->ip_src.s_addr != true_addr.s_addr ||
+			     org_port < IPPORT_RESERVED)
+				 goto lBAD_CTCP;
+
 			 /* Steal the FTP_DATA_PORT - it doesn't really matter, and this
 				 would probably allow it through at least _some_
 				 firewalls. */
diff --git a/sys/netinet/libalias/alias_irc.c b/sys/netinet/libalias/alias_irc.c
index 6a8ebe2bbe98..ec5aa8a7d3a5 100644
--- a/sys/netinet/libalias/alias_irc.c
+++ b/sys/netinet/libalias/alias_irc.c
@@ -236,6 +236,12 @@ AliasHandleIrcOut(struct ip *pip, /* IP packet to examine */
 			 true_addr.s_addr = htonl(org_addr);
 			 destaddr.s_addr = 0;
 
+			 /* Sanity/Security checking */
+			 if (!org_addr || !org_port ||
+			     pip->ip_src.s_addr != true_addr.s_addr ||
+			     org_port < IPPORT_RESERVED)
+				 goto lBAD_CTCP;
+
 			 /* Steal the FTP_DATA_PORT - it doesn't really matter, and this
 				 would probably allow it through at least _some_
 				 firewalls. */