Hi Dave!

This is the 3rd of my 2.6 merge of the recent bugfixes (all tested
against 2.4.22-pre7).  You might need to apply them incrementally
(didn't test it in a different order).  You will receive 2.6 merges of
those patches soon.

Author: Harald Welte <laforge@netfilter.org>

This patch fixes a bug in the IRC DCC command parser of ip_conntrack_irc

Please apply,

--- linux-2.6.0-test1/net/ipv4/netfilter/ip_conntrack_irc.c	2003-07-14 05:36:48.000000000 +0200
+++ linux-2.6.0-test1-nftest2/net/ipv4/netfilter/ip_conntrack_irc.c	2003-07-19 11:41:49.000000000 +0200
@@ -54,7 +54,7 @@
 #endif
 
 static char *dccprotos[] = { "SEND ", "CHAT ", "MOVE ", "TSEND ", "SCHAT " };
-#define MAXMATCHLEN	6
+#define MINMATCHLEN	5
 
 DECLARE_LOCK(ip_irc_lock);
 struct module *ip_conntrack_irc = THIS_MODULE;
@@ -87,9 +87,11 @@
 	*ip = simple_strtoul(data, &data, 10);
 
 	/* skip blanks between ip and port */
-	while (*data == ' ')
+	while (*data == ' ') {
+		if (data >= data_end) 
+			return -1;
 		data++;
-
+	}
 
 	*port = simple_strtoul(data, &data, 10);
 	*ad_end_p = data;
@@ -139,13 +141,17 @@
 
 	data = irc_buffer;
 	data_limit = irc_buffer + skb->len - dataoff;
-	while (data < (data_limit - (22 + MAXMATCHLEN))) {
+
+	/* strlen("\1DCC SENT t AAAAAAAA P\1\n")=24
+	 * 5+MINMATCHLEN+strlen("t AAAAAAAA P\1\n")=14 */
+	while (data < (data_limit - (19 + MINMATCHLEN))) {
 		if (memcmp(data, "\1DCC ", 5)) {
 			data++;
 			continue;
 		}
 
 		data += 5;
+		/* we have at least (19+MINMATCHLEN)-5 bytes valid data left */
 
 		DEBUGP("DCC found in master %u.%u.%u.%u:%u %u.%u.%u.%u:%u...\n",
 			NIPQUAD(iph->saddr), ntohs(tcph.source),
@@ -159,6 +165,9 @@
 
 			DEBUGP("DCC %s detected\n", dccprotos[i]);
 			data += strlen(dccprotos[i]);
+			/* we have at least 
+			 * (19+MINMATCHLEN)-5-dccprotos[i].matchlen bytes valid
+			 * data left (== 14/13 bytes) */
 			if (parse_dcc((char *)data, data_limit, &dcc_ip,
 				       &dcc_port, &addr_beg_p, &addr_end_p)) {
 				/* unable to parse */
-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie