Fix a buffer overflow in bluewave.c.

strcat()'ing a string onto the result of file2str()
will result in a buffer overflow, since file2str()
only allocates enough memory to hold the contents of
the file (plus a NUL terminator).  This happend in
`bluewave.c`.

Instead, use `file2stralloc` to read the contents of
that file into a stralloc, which we can stralloc_cats
onto without fear of overflow.

Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
This commit is contained in:
Dan Cross 2018-10-12 20:30:24 +00:00 committed by Andrew Pamment
parent aba49d7a20
commit 7bf6e05170

View File

@ -778,6 +778,7 @@ void bwave_upload_reply() {
int area; int area;
tWORD msg_attr; tWORD msg_attr;
struct fido_addr addr; struct fido_addr addr;
stralloc sa = EMPTY_STRALLOC;
char *body; char *body;
char *tagline; char *tagline;
struct stat s; struct stat s;
@ -1053,20 +1054,20 @@ void bwave_upload_reply() {
snprintf(originlinebuffer, 256, "\r"); snprintf(originlinebuffer, 256, "\r");
} }
body = file2str(msgbuffer); sa = file2stralloc(msgbuffer);
if (body == NULL) { if (sa.s == NULL) {
continue; continue;
} }
stralloc_cats(&sa, originlinebuffer);
stralloc_0(&sa);
body = sa.s;
char *p, *s;
strcat(body, originlinebuffer); for (p = s = body; *p != '\0'; ++p) {
if (*p != '\n')
bpos = 0; *s++ = *p;
for (i = 0; i < strlen(body); i++) {
if (body[i] != '\n') {
body[bpos++] = body[i];
} }
} *s = '\0';
body[bpos] = '\0';
if (bwave_add_message(confr, area, convertl(upl_rec.unix_date), upl_rec.to, upl_rec.subj, &addr, body) != 0) { if (bwave_add_message(confr, area, convertl(upl_rec.unix_date), upl_rec.to, upl_rec.subj, &addr, body) != 0) {
// failed to add message // failed to add message