repo: ngircd
action: commit
revision: 
path_from: 
revision_from: 0e63fb3fa7ac4ca048e8c2b648d2be3fd0572311:
path_to: 
revision_to:
git.thebackupbox.net
ngircd
git clone git://git.thebackupbox.net/ngircd
commit 0e63fb3fa7ac4ca048e8c2b648d2be3fd0572311
Author: Sebastian Köhler 
Date:   Thu Feb 14 19:21:01 2013 +0100

    KICK: Fix denial of service bug

    Test if the user that it is to be kicked is on the channel before user
    channel modes are tested. Otherwise assert( cl2chan != NULL ); in
    line 742 would fail and stop the service.

diff --git a/src/ngircd/channel.c b/src/ngircd/channel.c
index 4eab2726a04393f40bc08ddec9ecfd4a4d5144c0..
index ..45bf615c29d604b453807e2a1e6c2b07c8c3f02c 100644
--- a/src/ngircd/channel.c
+++ b/src/ngircd/channel.c
@@ -326,6 +326,13 @@ Channel_Kick(CLIENT *Peer, CLIENT *Target, CLIENT *Origin, const char *Name,
 		}
 	}

+	/* Check that the client to be kicked is on the specified channel */
+	if (!Channel_IsMemberOf(chan, Target)) {
+		IRC_WriteStrClient(Origin, ERR_USERNOTINCHANNEL_MSG,
+				   Client_ID(Origin), Client_ID(Target), Name );
+		return;
+	}
+
 	if(Client_Type(Peer) == CLIENT_USER) {
 		/* Channel mode 'Q' and user mode 'q' on target: nobody but
 		 * IRC Operators and servers can kick the target user */
@@ -382,13 +389,6 @@ Channel_Kick(CLIENT *Peer, CLIENT *Target, CLIENT *Origin, const char *Name,
 		}
 	}

-	/* Check that the client to be kicked is on the specified channel */
-	if (!Channel_IsMemberOf(chan, Target)) {
-		IRC_WriteStrClient(Origin, ERR_USERNOTINCHANNEL_MSG,
-				   Client_ID(Origin), Client_ID(Target), Name );
-		return;
-	}
-
 	/* Kick Client from channel */
 	Remove_Client( REMOVE_KICK, chan, Target, Origin, Reason, true);
 } /* Channel_Kick */

-----END OF PAGE-----