From 55f0010f89fe62928b8aef29bfbf73407380ad69 Mon Sep 17 00:00:00 2001
From: Luke Bratch <luke@bratch.co.uk>
Date: Mon, 27 May 2019 17:25:34 +0100
Subject: Make sure MAXTOKENS being exceeded can't cause a buffer overflow.

---
 TODO         | 2 --
 blabouncer.c | 3 +++
 functions.h  | 1 -
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/TODO b/TODO
index c9b87a3..3b714ee 100644
--- a/TODO
+++ b/TODO
@@ -10,5 +10,3 @@ Add various auto replay options:
 Might need to #include <limits.h> in blabouncer.c to make some operating systems and/or compilers happy.
 
 Reconnect server if we get disconnected for some reason.
-
-Make sure MAXTOKENS being exceeded can't cause a buffer overflow.
diff --git a/blabouncer.c b/blabouncer.c
index f8671f5..e958828 100644
--- a/blabouncer.c
+++ b/blabouncer.c
@@ -606,6 +606,7 @@ int joinautochannels(SSL *server_ssl, struct client *clients, struct settings *s
   // Split on commas
   while ((token = strsep(&strcopy, ",")) != NULL) {
     if (*token  == '\0') continue; // Skip consecutive matches
+    if (counter >= MAXAUTOCHANLEN) break; // Too many tokens
     printf("  >> Auto channel: '%s', length '%ld'.\n", token, strlen(token));
     // Copy into the token array (strlen + 1 to get the NULL terminator)
     strncpy(tokens[counter], token, strlen(token) + 1);
@@ -701,6 +702,7 @@ int processircmessage(SSL *server_ssl, char *str, int source, struct client *cli
 
   while ((token = strsep(&strcopy, " ")) != NULL) {
     if (*token  == '\0') continue; // Skip consecutive matches
+    if (counter >= MAXTOKENS) break; // Too many tokens
     printf("  >> Message Token: \"%s\", length %zd.\n", token, strlen(token));
     // Copy into the token array (strlen + 1 to get the NULL terminator)
     strncpy(tokens[counter], token, strlen(token) + 1);
@@ -1892,6 +1894,7 @@ int processrawstring(SSL *server_ssl, char *str, int source, struct client *clie
 
   while ((token = strsep(&strcopy, "\r\n")) != NULL) {
     if (*token == '\0') continue; // Skip consecutive matches
+    if (counter >= MAXTOKENS) break; // Too many tokens
     printf("String Token: \"%s\", length %zd.\n", token, strlen(token));
     // Copy into the token array (strlen + 1 to get the NULL terminator)
     strncpy(messages[messagecount], token, strlen(token) + 1);
diff --git a/functions.h b/functions.h
index fe1bee8..8fb5145 100644
--- a/functions.h
+++ b/functions.h
@@ -14,7 +14,6 @@
 #include <sys/select.h>
 
 #define MAXDATASIZE 513 // max number of bytes we can get at once (RFC2812 says 512, plus one for null terminator)
-#define MAXTOKENS 100 // maximum number of (CRLF or space) separated tokens per server response we expect (TODO - check this is reasonable)
 
 // getstdin() return codes
 #define OK       0
-- 
cgit v1.2.3