Better validate MODE +k & +l parameters and return errors

Implement new numeric ERR_INVALIDMODEPARAM_MSG(696) and:

- Reject channel keys with spaces and return ERR_INVALIDMODEPARAM_MSG;
  This was possible until now and resulted in garbled IRC commands later.
- Reject empty channel keys and return ERR_INVALIDMODEPARAM_MSG;
  This was possible until now and resulted in garbled IRC commands later.
- Return ERR_INVALIDMODEPARAM_MSG when user limit is out of bounds;
  This was silently ignored until now.

Closes #290. Thanks Val Lorentz for reporting it!

2 files changed, 32 insertions, 8 deletions

diff --git a/src/ngircd/irc-mode.c b/src/ngircd/irc-mode.c
index 4a26ef02..0ea046e5 100644
--- a/src/ngircd/irc-mode.c
+++ b/src/ngircd/irc-mode.c
@@ -620,6 +620,18 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 						Client_ID(Origin), Req->command);
 				goto chan_exit;
 			}
+			if (!Req->argv[arg_arg][0] || strchr(Req->argv[arg_arg], ' ')) {
+				if (is_machine)
+					Log(LOG_ERR,
+					    "Got invalid key on MODE +k for \"%s\" from \"%s\"! Ignored.",
+					    Channel_Name(Channel), Client_ID(Origin));
+				else
+					connected = IRC_WriteErrClient(Origin,
+					       ERR_INVALIDMODEPARAM_MSG,
+						Client_ID(Origin),
+						Channel_Name(Channel), 'k');
+				goto chan_exit;
+			}
 			if (is_oper || is_machine || is_owner ||
 			    is_admin || is_op || is_halfop) {
 				Channel_ModeDel(Channel, 'k');
@@ -660,15 +672,25 @@ Channel_Mode(CLIENT *Client, REQUEST *Req, CLIENT *Origin, CHANNEL *Channel)
 						Client_ID(Origin), Req->command);
 				goto chan_exit;
 			}
+			l = atol(Req->argv[arg_arg]);
+			if (l <= 0 || l >= 0xFFFF) {
+				if (is_machine)
+					Log(LOG_ERR,
+					    "Got MODE +l with invalid limit for \"%s\" from \"%s\"! Ignored.",
+					    Channel_Name(Channel), Client_ID(Origin));
+				else
+					connected = IRC_WriteErrClient(Origin,
+						ERR_INVALIDMODEPARAM_MSG,
+						Client_ID(Origin),
+						Channel_Name(Channel), 'l');
+				goto chan_exit;
+			}
 			if (is_oper || is_machine || is_owner ||
 			    is_admin || is_op || is_halfop) {
-				l = atol(Req->argv[arg_arg]);
-				if (l > 0 && l < 0xFFFF) {
-					Channel_ModeDel(Channel, 'l');
-					Channel_SetMaxUsers(Channel, l);
-					snprintf(argadd, sizeof(argadd), "%ld", l);
-					x[0] = *mode_ptr;
-				}
+				Channel_ModeDel(Channel, 'l');
+				Channel_SetMaxUsers(Channel, l);
+				snprintf(argadd, sizeof(argadd), "%ld", l);
+				x[0] = *mode_ptr;
 			} else {
 				connected = IRC_WriteErrClient(Origin,
 					ERR_CHANOPRIVSNEEDED_MSG,
diff --git a/src/ngircd/messages.h b/src/ngircd/messages.h
index 76a04ff9..1bbfa699 100644
--- a/src/ngircd/messages.h
+++ b/src/ngircd/messages.h
@@ -1,6 +1,6 @@
 /*
  * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2020 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2023 Alexander Barton (alex@barton.de) and Contributors.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -162,6 +162,8 @@
 #define ERR_USERNOTONSERV_MSG		"504 %s %s :User is not on this server"
 #define ERR_NOINVITE_MSG		"518 %s :Cannot invite to %s (+V)"
 
+#define ERR_INVALIDMODEPARAM_MSG	"696 %s %s %c * :Invalid mode parameter"
+
 #ifdef ZLIB
 # define RPL_STATSLINKINFOZIP_MSG	"211 %s %s %d %ld %ld/%ld %ld %ld/%ld :%ld"
 #endif