Fixed buffer overwrite caused by bad formatted ticfiles
This commit is contained in:
parent
20606227e1
commit
c43e9ed414
@ -10,6 +10,9 @@ v0.91.12 24-Sep-2007
|
||||
Added missing check to see if a user is allowed to post or
|
||||
reply a message.
|
||||
|
||||
mbfido:
|
||||
Fixed buffer overwrite caused by bad formatted ticfiles.
|
||||
|
||||
|
||||
v0.91.11 02-Sep-2007 - 24-Sep-2007
|
||||
|
||||
|
@ -4,7 +4,7 @@
|
||||
* Purpose ...............: Process 1 .tic file
|
||||
*
|
||||
*****************************************************************************
|
||||
* Copyright (C) 1997-2006
|
||||
* Copyright (C) 1997-2007
|
||||
*
|
||||
* Michiel Broek FIDO: 2:280/2802
|
||||
* Beekmansbos 10
|
||||
@ -560,17 +560,8 @@ int ProcessTic(fa_list **sbl, orphans **opl)
|
||||
* Now check if other (older) ticfiles point to this file,
|
||||
* if found mark it to purge later.
|
||||
*/
|
||||
// First = TRUE;
|
||||
for (topl = *opl; topl; topl = topl->next) {
|
||||
// if (First) {
|
||||
// Syslog('f', "TIC file TIC area Filename ORP CRC DEL");
|
||||
// Syslog('f', "------------ -------------------- ------------ --- --- ---");
|
||||
// First = FALSE;
|
||||
// }
|
||||
// Syslog('f', "%-12s %-20s %-12s %s %s %s", topl->TicName, topl->Area, topl->FileName,
|
||||
// topl->Orphaned ? "Yes" : "No ", topl->BadCRC ? "Yes" : "No ", topl->Purged ? "Yes":"No ");
|
||||
if ((strcmp(topl->Area, TIC.TicIn.Area) == 0) && (strcmp(topl->FileName, TIC.TicIn.File) == 0)) {
|
||||
// Syslog('f', "Found matching obsolete tic file %s, mark to purge this one", topl->TicName);
|
||||
topl->Purged = TRUE;
|
||||
}
|
||||
}
|
||||
@ -671,7 +662,7 @@ int ProcessTic(fa_list **sbl, orphans **opl)
|
||||
else
|
||||
Magic_UpDateAlias();
|
||||
|
||||
for (i = 0; i <= TIC.File_Id_Ct; i++)
|
||||
for (i = 0; i < TIC.File_Id_Ct; i++)
|
||||
strncpy(T_File.LDesc[i], TIC.File_Id[i], 48);
|
||||
T_File.TotLdesc = TIC.File_Id_Ct;
|
||||
T_File.Announce = tic.Announce;
|
||||
@ -746,7 +737,9 @@ int ProcessTic(fa_list **sbl, orphans **opl)
|
||||
|
||||
|
||||
snprintf(Temp, PATH_MAX, "%s/%s", TIC.Inbound, TIC.TicName);
|
||||
unlink(Temp);
|
||||
if (unlink(Temp)) {
|
||||
WriteError("$Can't delete %s", Temp);
|
||||
}
|
||||
|
||||
free(Temp);
|
||||
tidy_qualify(&qal);
|
||||
|
@ -364,6 +364,8 @@ int LoadTic(char *inb, char *tfn, orphans **opl)
|
||||
if (TIC.TicIn.TotLDesc < 25) {
|
||||
strncpy(TIC.TicIn.LDesc[TIC.TicIn.TotLDesc], Temp+6, 80);
|
||||
TIC.TicIn.TotLDesc++;
|
||||
} else {
|
||||
Syslog('f', "Too many LDesc lines in TIC file");
|
||||
}
|
||||
|
||||
} else if (strncasecmp(Temp, "destination ", 12) == 0) {
|
||||
@ -411,9 +413,10 @@ int LoadTic(char *inb, char *tfn, orphans **opl)
|
||||
}
|
||||
if (TIC.TicIn.TotLDesc) {
|
||||
T_File.TotLdesc = TIC.TicIn.TotLDesc;
|
||||
for (i = 0; i <= TIC.TicIn.TotLDesc; i++)
|
||||
for (i = 0; i < TIC.TicIn.TotLDesc; i++) {
|
||||
strncpy(T_File.LDesc[i], TIC.TicIn.LDesc[i], 48);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Show on screen what we are doing
|
||||
|
Reference in New Issue
Block a user