There is a buffer overflow in ngircd, src/ngircd/lists.c; in Lists_MakeMask().
It is caused by an integer underflow in line 317:
317 strlcpy( TheMask, Pattern, sizeof( TheMask ) - strlen( at ) - 4 );
strlen( at ) - 4 can be larger than sizeof( TheMask ).
Steps to Reproduce:
1. netcat / telnet to a ngirc daemon.
USER a b c d
MODE \#b +b aaaa....aa@aaaa...aaa
Truncate the string.
Fixed in ngircd 0.8.2.
Many thanks for letting us know so fast, Florian.
net-irc team please bump to newest package.
net-irc/ngircd-0.8.2 in CVS and stable on x86.
Florian: couldn't that vulnerability also be used to execute arbitrary code ?
I was only able to crash the server, but this is most likely because of my clumsy efforts. Given that the input comes from the client (and is under very few restrictions) someone more skilled might be able to exploit this.