Fix a buffer overflow in bluewave.c.
strcat()'ing a string onto the result of file2str() will result in a buffer overflow, since file2str() only allocates enough memory to hold the contents of the file (plus a NUL terminator). This happend in `bluewave.c`. Instead, use `file2stralloc` to read the contents of that file into a stralloc, which we can stralloc_cats onto without fear of overflow. Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
This commit is contained in:
parent
aba49d7a20
commit
7bf6e05170
@ -778,6 +778,7 @@ void bwave_upload_reply() {
|
|||||||
int area;
|
int area;
|
||||||
tWORD msg_attr;
|
tWORD msg_attr;
|
||||||
struct fido_addr addr;
|
struct fido_addr addr;
|
||||||
|
stralloc sa = EMPTY_STRALLOC;
|
||||||
char *body;
|
char *body;
|
||||||
char *tagline;
|
char *tagline;
|
||||||
struct stat s;
|
struct stat s;
|
||||||
@ -1053,20 +1054,20 @@ void bwave_upload_reply() {
|
|||||||
snprintf(originlinebuffer, 256, "\r");
|
snprintf(originlinebuffer, 256, "\r");
|
||||||
}
|
}
|
||||||
|
|
||||||
body = file2str(msgbuffer);
|
sa = file2stralloc(msgbuffer);
|
||||||
if (body == NULL) {
|
if (sa.s == NULL) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
stralloc_cats(&sa, originlinebuffer);
|
||||||
|
stralloc_0(&sa);
|
||||||
|
body = sa.s;
|
||||||
|
char *p, *s;
|
||||||
|
|
||||||
strcat(body, originlinebuffer);
|
for (p = s = body; *p != '\0'; ++p) {
|
||||||
|
if (*p != '\n')
|
||||||
bpos = 0;
|
*s++ = *p;
|
||||||
for (i = 0; i < strlen(body); i++) {
|
|
||||||
if (body[i] != '\n') {
|
|
||||||
body[bpos++] = body[i];
|
|
||||||
}
|
}
|
||||||
}
|
*s = '\0';
|
||||||
body[bpos] = '\0';
|
|
||||||
|
|
||||||
if (bwave_add_message(confr, area, convertl(upl_rec.unix_date), upl_rec.to, upl_rec.subj, &addr, body) != 0) {
|
if (bwave_add_message(confr, area, convertl(upl_rec.unix_date), upl_rec.to, upl_rec.subj, &addr, body) != 0) {
|
||||||
// failed to add message
|
// failed to add message
|
||||||
|
Reference in New Issue
Block a user