bbs/deb-mbse
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed buffer overwrite caused by bad formatted ticfiles

Browse Source
This commit is contained in:
Michiel Broek 2007-10-12 19:19:00 +00:00
parent 20606227e1
commit c43e9ed414
3 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -10,6 +10,9 @@ v0.91.12 24-Sep-2007
Added missing check to see if a user is allowed to post or Added missing check to see if a user is allowed to post or
reply a message. reply a message.
mbfido:
Fixed buffer overwrite caused by bad formatted ticfiles.
v0.91.11 02-Sep-2007 - 24-Sep-2007 v0.91.11 02-Sep-2007 - 24-Sep-2007

17
mbfido/ptic.c
View File

@ -4,7 +4,7 @@
* Purpose ...............: Process 1 .tic file * Purpose ...............: Process 1 .tic file
* *
***************************************************************************** *****************************************************************************
* Copyright (C) 1997-2006 * Copyright (C) 1997-2007
* *
* Michiel Broek FIDO: 2:280/2802 * Michiel Broek FIDO: 2:280/2802
* Beekmansbos 10 * Beekmansbos 10
@ -560,17 +560,8 @@ int ProcessTic(fa_list **sbl, orphans **opl)
* Now check if other (older) ticfiles point to this file, * Now check if other (older) ticfiles point to this file,
* if found mark it to purge later. * if found mark it to purge later.
*/ */
// First = TRUE;
for (topl = *opl; topl; topl = topl->next) { for (topl = *opl; topl; topl = topl->next) {
// if (First) {
// Syslog('f', "TIC file TIC area Filename ORP CRC DEL");
// Syslog('f', "------------ -------------------- ------------ --- --- ---");
// First = FALSE;
// }
// Syslog('f', "%-12s %-20s %-12s %s %s %s", topl->TicName, topl->Area, topl->FileName,
// topl->Orphaned ? "Yes" : "No ", topl->BadCRC ? "Yes" : "No ", topl->Purged ? "Yes":"No ");
if ((strcmp(topl->Area, TIC.TicIn.Area) == 0) && (strcmp(topl->FileName, TIC.TicIn.File) == 0)) { if ((strcmp(topl->Area, TIC.TicIn.Area) == 0) && (strcmp(topl->FileName, TIC.TicIn.File) == 0)) {
// Syslog('f', "Found matching obsolete tic file %s, mark to purge this one", topl->TicName);
topl->Purged = TRUE; topl->Purged = TRUE;
} }
} }
@ -671,7 +662,7 @@ int ProcessTic(fa_list **sbl, orphans **opl)
else else
Magic_UpDateAlias(); Magic_UpDateAlias();
for (i = 0; i <= TIC.File_Id_Ct; i++) for (i = 0; i < TIC.File_Id_Ct; i++)
strncpy(T_File.LDesc[i], TIC.File_Id[i], 48); strncpy(T_File.LDesc[i], TIC.File_Id[i], 48);
T_File.TotLdesc = TIC.File_Id_Ct; T_File.TotLdesc = TIC.File_Id_Ct;
T_File.Announce = tic.Announce; T_File.Announce = tic.Announce;
@ -746,7 +737,9 @@ int ProcessTic(fa_list **sbl, orphans **opl)
snprintf(Temp, PATH_MAX, "%s/%s", TIC.Inbound, TIC.TicName); snprintf(Temp, PATH_MAX, "%s/%s", TIC.Inbound, TIC.TicName);
unlink(Temp); if (unlink(Temp)) {
WriteError("$Can't delete %s", Temp);
}
free(Temp); free(Temp);
tidy_qualify(&qal); tidy_qualify(&qal);

5
mbfido/tic.c
View File

@ -364,6 +364,8 @@ int LoadTic(char *inb, char *tfn, orphans **opl)
if (TIC.TicIn.TotLDesc < 25) { if (TIC.TicIn.TotLDesc < 25) {
strncpy(TIC.TicIn.LDesc[TIC.TicIn.TotLDesc], Temp+6, 80); strncpy(TIC.TicIn.LDesc[TIC.TicIn.TotLDesc], Temp+6, 80);
TIC.TicIn.TotLDesc++; TIC.TicIn.TotLDesc++;
} else {
Syslog('f', "Too many LDesc lines in TIC file");
} }
} else if (strncasecmp(Temp, "destination ", 12) == 0) { } else if (strncasecmp(Temp, "destination ", 12) == 0) {
@ -411,8 +413,9 @@ int LoadTic(char *inb, char *tfn, orphans **opl)
} }
if (TIC.TicIn.TotLDesc) { if (TIC.TicIn.TotLDesc) {
T_File.TotLdesc = TIC.TicIn.TotLDesc; T_File.TotLdesc = TIC.TicIn.TotLDesc;
for (i = 0; i <= TIC.TicIn.TotLDesc; i++) for (i = 0; i < TIC.TicIn.TotLDesc; i++) {
strncpy(T_File.LDesc[i], TIC.TicIn.LDesc[i], 48); strncpy(T_File.LDesc[i], TIC.TicIn.LDesc[i], 48);
}
} }
/* /*