From: Michael Poole <mdpoole@troilus.org>
Date: Mon, 24 Jan 2005 17:12:38 +0000 (+0000)
Subject: typo fix in alloc-srvx.c; avoid dereferencing free()'d bans
X-Git-Tag: v1.4.0-rc1~184
X-Git-Url: http://git.pk910.de/?p=srvx.git;a=commitdiff_plain;h=36612e1ec929a26c24b9e87369a9628e392f1430

typo fix in alloc-srvx.c; avoid dereferencing free()'d bans

src/alloc-srvx.c (srvx_realloc): Fix argument list to srvx_free().

src/chanserv.c (find_matching_bans): Make temporary copies of bans to
be removed.  Double-check remove count at end of loop.
(unban_user, cmd_open): Free the string copies.
(cmd_unbanall): Make temporary copies of removed bans and free them.
(handle_mode): Likewise.

src/opserv.c (cmd_clearbans): Likewise.
git-archimport-id: srvx@srvx.net--2005-srvx/srvx--devo--1.3--patch-8
---

diff --git a/ChangeLog b/ChangeLog
index 7944689..22d3767 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,27 @@
 # arch-tag: automatic-ChangeLog--srvx@srvx.net--2005-srvx/srvx--devo--1.3
 #
 
+2005-01-24 17:12:38 GMT	Michael Poole <mdpoole@troilus.org>	patch-8
+
+    Summary:
+      typo fix in alloc-srvx.c; avoid dereferencing free()'d bans
+    Revision:
+      srvx--devo--1.3--patch-8
+
+    src/alloc-srvx.c (srvx_realloc): Fix argument list to srvx_free().
+    
+    src/chanserv.c (find_matching_bans): Make temporary copies of bans to
+    be removed.  Double-check remove count at end of loop.
+    (unban_user, cmd_open): Free the string copies.
+    (cmd_unbanall): Make temporary copies of removed bans and free them.
+    (handle_mode): Likewise.
+    
+    src/opserv.c (cmd_clearbans): Likewise.
+
+    modified files:
+     ChangeLog src/alloc-srvx.c src/chanserv.c src/opserv.c
+
+
 2005-01-24 16:45:44 GMT	Michael Poole <mdpoole@troilus.org>	patch-7
 
     Summary:
diff --git a/src/alloc-srvx.c b/src/alloc-srvx.c
index 189b36d..72fca5a 100644
--- a/src/alloc-srvx.c
+++ b/src/alloc-srvx.c
@@ -98,7 +98,7 @@ srvx_realloc(const char *file, unsigned int line, void *ptr, size_t size)
     alloc_count++;
     alloc_size += size;
 
-    srvx_free(block);
+    srvx_free(file, line, block + 1);
 
     return newblock + 1;
 }
diff --git a/src/chanserv.c b/src/chanserv.c
index c38cd51..7f0596f 100644
--- a/src/chanserv.c
+++ b/src/chanserv.c
@@ -3046,8 +3046,9 @@ find_matching_bans(struct banList *bans, struct userNode *actee, const char *mas
         if(!match[ii])
             continue;
         change->args[count].mode = MODE_REMOVE | MODE_BAN;
-        change->args[count++].u.hostmask = bans->list[ii]->ban;
+        change->args[count++].u.hostmask = strdup(bans->list[ii]->ban);
     }
+    assert(count == change->argc);
     return change;
 }
 
@@ -3080,7 +3081,11 @@ unban_user(struct userNode *user, struct chanNode *channel, unsigned int argc, c
         change = find_matching_bans(&channel->banlist, actee, mask);
         if(change)
         {
+            unsigned int ii;
+
             modcmd_chanmode_announce(change);
+            for(ii = 0; ii < change->argc; ++ii)
+                free((char*)change->args[ii].u.hostmask);
             mod_chanmode_free(change);
             acted = 1;
         }
@@ -3157,9 +3162,11 @@ static CHANSERV_FUNC(cmd_unbanall)
     for(ii=0; ii<channel->banlist.used; ii++)
     {
         change->args[ii].mode = MODE_REMOVE | MODE_BAN;
-        change->args[ii].u.hostmask = channel->banlist.list[ii]->ban;
+        change->args[ii].u.hostmask = strdup(channel->banlist.list[ii]->ban);
     }
     modcmd_chanmode_announce(change);
+    for(ii = 0; ii < change->argc; ++ii)
+        free((char*)change->args[ii].u.hostmask);
     mod_chanmode_free(change);
     reply("CSMSG_BANS_REMOVED", channel->name);
     return 1;
@@ -3168,6 +3175,7 @@ static CHANSERV_FUNC(cmd_unbanall)
 static CHANSERV_FUNC(cmd_open)
 {
     struct mod_chanmode *change;
+    unsigned int ii;
 
     change = find_matching_bans(&channel->banlist, user, NULL);
     if(!change)
@@ -3178,6 +3186,8 @@ static CHANSERV_FUNC(cmd_open)
         change->modes_clear &= ~channel->channel_info->modes.modes_set;
     modcmd_chanmode_announce(change);
     reply("CSMSG_CHANNEL_OPENED", channel->name);
+    for(ii = 0; ii < change->argc; ++ii)
+        free((char*)change->args[ii].u.hostmask);
     mod_chanmode_free(change);
     return 1;
 }
@@ -6217,7 +6227,7 @@ handle_mode(struct chanNode *channel, struct userNode *user, const struct mod_ch
             if(!bounce)
                 bounce = mod_chanmode_alloc(change->argc + 1 - ii);
             bounce->args[bnc].mode = MODE_REMOVE | MODE_BAN;
-            bounce->args[bnc].u.hostmask = ban;
+            bounce->args[bnc].u.hostmask = strdup(ban);
             bnc++;
             send_message(user, chanserv, "CSMSG_MASK_PROTECTED", ban);
         }
@@ -6226,6 +6236,9 @@ handle_mode(struct chanNode *channel, struct userNode *user, const struct mod_ch
     {
         if((bounce->argc = bnc) || bounce->modes_set || bounce->modes_clear)
             mod_chanmode_announce(chanserv, channel, bounce);
+        for(ii = 0; ii < change->argc; ++ii)
+            if(bounce->args[ii].mode == (MODE_REMOVE | MODE_BAN))
+                free((char*)bounce->args[ii].u.hostmask);
         mod_chanmode_free(bounce);
     }
 }
diff --git a/src/opserv.c b/src/opserv.c
index 041a89a..87845c5 100644
--- a/src/opserv.c
+++ b/src/opserv.c
@@ -523,9 +523,11 @@ static MODCMD_FUNC(cmd_clearbans)
     change = mod_chanmode_alloc(channel->banlist.used);
     for (ii=0; ii<channel->banlist.used; ii++) {
         change->args[ii].mode = MODE_REMOVE | MODE_BAN;
-        change->args[ii].u.hostmask = channel->banlist.list[ii]->ban;
+        change->args[ii].u.hostmask = strdup(channel->banlist.list[ii]->ban);
     }
     modcmd_chanmode_announce(change);
+    for (ii=0; ii<change->argc; ++ii)
+        free((char*)change->args[ii].u.hostmask);
     mod_chanmode_free(change);
     reply("OSMSG_CLEARBANS_DONE", channel->name);
     return 1;