bbs/magicka
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove the last of the sprintf() calls.

Browse Source 
sprintf() is unsafe since it may overflow the bounds
of its destination buffers.  Remove the last of the
calls to it; all the logic has either been rewritten
to use snprintf() or other forms of string copying
such as strlcpy().

Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
This commit is contained in:
Dan Cross 2018-10-16 15:05:16 +00:00 committed by Andrew Pamment
parent aacb1000c8
commit 359a190ee9
8 changed files with 61 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/bbs.c
View File

@ -248,7 +248,8 @@ void s_putchar(char c) {
ic = iconv_open("UTF-8", "CP437");
inbuf = (char *)malloz(4);
outbuf = (char *)malloz(4);
sprintf(inbuf, "%c", c);
inbuf[0] = c;
inbuf[1] = '\0';
inc = 1;
ouc = 4;
ptr1 = outbuf;
@ -392,7 +393,7 @@ void s_displayansi(char *file) {
char buffer[256];
if (strchr(file, '/') == NULL) {
sprintf(buffer, "%s/%s.ans", conf.ansi_path, file);
snprintf(buffer, sizeof buffer, "%s/%s.ans", conf.ansi_path, file);
s_displayansi_pause(buffer, 0);
} else {
s_displayansi_pause(file, 0);
@ -919,7 +920,7 @@ void runbbs_real(int socket, char *ip, int ssh) {
// find out which node we are
for (i = 1; i <= conf.nodes; i++) {
sprintf(buffer, "%s/nodeinuse.%d", conf.bbs_path, i);
snprintf(buffer, sizeof buffer, "%s/nodeinuse.%d", conf.bbs_path, i);
if (stat(buffer, &s) != 0) {
mynode = i;

14
src/chat_system.c
View File

@ -401,7 +401,7 @@ void chat_system(struct user_record *user) {
} else {
input_b = encapsulate_quote(inputbuffer);
raw("{ \"bbs\": \"%s\", \"nick\": \"%s\", \"msg\": \"%s\" }\n", conf.mgchat_bbstag, user->loginname, input_b);
sprintf(buffer2, "|08(|13%s|08)[|11%s|08]: |07%s", conf.mgchat_bbstag, user->loginname, input_b);
snprintf(buffer2, sizeof buffer2, "|08(|13%s|08)[|11%s|08]: |07%s", conf.mgchat_bbstag, user->loginname, input_b);
free(input_b);
append_screenbuffer(buffer2);
do_update = 1;
@ -454,15 +454,21 @@ void chat_system(struct user_record *user) {
} else {
for (j = 1; j < r; j++) {
if (jsoneq(message, &tokens[j], "bbs") == 0) {
sprintf(msg.bbstag, "%.*s", tokens[j + 1].end - tokens[j + 1].start, message + tokens[j + 1].start);
snprintf(msg.bbstag, sizeof msg.bbstag, "%.*s",
tokens[j + 1].end - tokens[j + 1].start,
message + tokens[j + 1].start);
j++;
}
if (jsoneq(message, &tokens[j], "nick") == 0) {
sprintf(msg.nick, "%.*s", tokens[j + 1].end - tokens[j + 1].start, message + tokens[j + 1].start);
snprintf(msg.nick, sizeof msg.nick, "%.*s",
tokens[j + 1].end - tokens[j + 1].start,
message + tokens[j + 1].start);
j++;
}
if (jsoneq(message, &tokens[j], "msg") == 0) {
sprintf(msg.msg, "%.*s", tokens[j + 1].end - tokens[j + 1].start, message + tokens[j + 1].start);
snprintf(msg.msg, sizeof msg.msg, "%.*s",
tokens[j + 1].end - tokens[j + 1].start,
message + tokens[j + 1].start);
j++;
}
}

10
src/doors.c
View File

@ -51,7 +51,7 @@ int write_door32sys(struct user_record *user) {
char *ptr;
int i;
sprintf(buffer, "%s/node%d", conf.bbs_path, mynode);
snprintf(buffer, sizeof buffer, "%s/node%d", conf.bbs_path, mynode);
if (stat(buffer, &s) != 0) {
mkdir(buffer, 0755);
@ -82,7 +82,7 @@ int write_door32sys(struct user_record *user) {
// create dorinfo1.def
sprintf(buffer, "%s/node%d/dorinfo1.def", conf.bbs_path, mynode);
snprintf(buffer, sizeof buffer, "%s/node%d/dorinfo1.def", conf.bbs_path, mynode);
fptr = fopen(buffer, "w");
@ -125,7 +125,7 @@ int write_door32sys(struct user_record *user) {
// create door.sys
sprintf(buffer, "%s/node%d/door.sys", conf.bbs_path, mynode);
snprintf(buffer, sizeof buffer, "%s/node%d/door.sys", conf.bbs_path, mynode);
fptr = fopen(buffer, "w");
@ -203,9 +203,9 @@ void rundoor(struct user_record *user, char *cmd, int stdio, char *codepage) {
door_out = gSocket;
}
arguments[0] = strdup(cmd);
sprintf(buffer, "%d", mynode);
snprintf(buffer, sizeof buffer, "%d", mynode);
arguments[1] = strdup(buffer);
sprintf(buffer, "%d", door_out);
snprintf(buffer, sizeof buffer, "%d", door_out);
arguments[2] = strdup(buffer);
arguments[3] = NULL;

10
src/email.c
View File

@ -149,7 +149,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
s_printf(get_string(57), emails[msgno]->from);
s_printf(get_string(58), emails[msgno]->subject);
localtime_r(&emails[msgno]->date, &msg_date);
sprintf(buffer, "%s", asctime(&msg_date));
strlcpy(buffer, asctime(&msg_date), sizeof buffer);
buffer[strlen(buffer) - 1] = '\0';
s_printf(get_string(59), buffer);
s_printf(get_string(60));
@ -243,7 +243,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
free(msg_lines);
msg_line_count = 0;
sprintf(buffer, "%s/email.sq3", conf.bbs_path);
snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
rc = sqlite3_open(buffer, &db);
@ -281,7 +281,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
replybody = external_editor(user, user->loginname, emails[msgno]->from, emails[msgno]->body, strlen(emails[msgno]->body), emails[msgno]->from, subject, 1, 0);
if (replybody != NULL) {
sprintf(buffer, "%s/email.sq3", conf.bbs_path);
snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
rc = sqlite3_open(buffer, &db);
if (rc != SQLITE_OK) {
@ -315,7 +315,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
}
free(subject);
} else if (tolower(c) == 'd') {
sprintf(buffer, "%s/email.sq3", conf.bbs_path);
snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
rc = sqlite3_open(buffer, &db);
if (rc != SQLITE_OK) {
@ -620,7 +620,7 @@ int mail_getemailcount(struct user_record *user) {
sqlite3_stmt *res;
int rc;
sprintf(buffer, "%s/email.sq3", conf.bbs_path);
snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
rc = sqlite3_open(buffer, &db);

71
src/files.c
View File

@ -444,16 +444,11 @@ char *get_file_id_diz(char *filename) {
}
}
bpos = 0;
len = strlen(description);
for (i = 0; i < len; i++) {
if (description[i] == '\r') {
continue;
} else {
description[bpos++] = description[i];
}
}
description[bpos] = '\0';
char *b = description;
for (char *p = description; p != '\0'; ++p)
if (*p != '\r')
*b++ = *p;
*b = '\0';
snprintf(buffer, sizeof buffer, "%s/node%d/temp", conf.bbs_path, mynode);
recursive_delete(buffer);
@ -495,34 +490,31 @@ int do_download(struct user_record *user, char *file) {
}
return 1;
} else {
bpos = 0;
for (i = 0; i < strlen(defproto->download); i++) {
if (defproto->download[i] == '*') {
i++;
if (defproto->download[i] == '*') {
download_command[bpos++] = defproto->download[i];
download_command[bpos] = '\0';
continue;
} else if (defproto->download[i] == 'f') {
sprintf(&download_command[bpos], "%s", file);
bpos = strlen(download_command);
continue;
} else if (defproto->download[i] == 's') {
if (!sshBBS) {
sprintf(&download_command[bpos], "%d", gSocket);
bpos = strlen(download_command);
} else {
s_printf(get_string(209), defproto->name);
return 0;
}
}
} else {
download_command[bpos++] = defproto->download[i];
download_command[bpos] = '\0';
char *b = download_command;
size_t blen = sizeof download_command;
for (const char *p = defproto->download; *p != '\0' && blen > 1; ++p) {
if (*p == '*') {
*b++ = '*';
--blen;
continue;
}
p++;
size_t alen = 0;
if (*p == 'f') {
strlcpy(b, file, blen);
alen = strlen(b);
} else if (*p == 's') {
if (sshBBS) {
s_printf(get_string(209), defproto->name);
return 0;
}
snprintf(b, blen, "%d", gSocket);
alen = strlen(b);
}
b += alen;
blen -= alen;
}
*b = '\0';
argc = 1;
last_char_space = 0;
for (i = 0; i < strlen(download_command); i++) {
@ -596,7 +588,6 @@ int do_upload(struct user_record *user, char *final_path) {
timeoutpaused = 0;
return 1;
} else {
if (defproto->upload_prompt) {
s_printf(get_string(210));
s_readstring(buffer3, 256);
@ -612,13 +603,15 @@ int do_upload(struct user_record *user, char *final_path) {
continue;
} else if (defproto->upload[i] == 'f') {
if (defproto->upload_prompt) {
sprintf(&upload_command[bpos], "%s", buffer3);
size_t blen = sizeof(upload_command) - bpos;
strlcpy(upload_command + bpos, buffer3, blen);
bpos = strlen(upload_command);
}
continue;
} else if (defproto->upload[i] == 's') {
if (!sshBBS) {
sprintf(&upload_command[bpos], "%d", gSocket);
size_t blen = sizeof(upload_command) - bpos;
snprintf(upload_command + bpos, blen, "%d", gSocket);
bpos = strlen(upload_command);
} else {
s_printf(get_string(209), defproto->name);

4
src/lua_glue.c
View File

@ -57,7 +57,7 @@ int l_bbsDisplayAnsiPause(lua_State *L) {
char buffer[256];
if (strchr(str, '/') == NULL) {
sprintf(buffer, "%s/%s.ans", conf.ansi_path, str);
snprintf(buffer, sizeof buffer, "%s/%s.ans", conf.ansi_path, str);
s_displayansi_pause(buffer, 1);
} else {
s_displayansi_pause(str, 1);
@ -443,7 +443,7 @@ int l_postMessage(lua_State *L) {
JAM_PutSubfield(jsp, &jsf);
if (ma->type == TYPE_NEWSGROUP_AREA) {
sprintf(buffer, "ALL");
strlcpy(buffer, "ALL", sizeof buffer);
jsf.LoID = JAMSFLD_RECVRNAME;
jsf.HiID = 0;
jsf.DatLen = strlen(buffer);

5
src/main_menu.c
View File

@ -18,8 +18,7 @@ void display_bulletins() {
struct stat s;
i = 0;
sprintf(buffer, "%s/bulletin%d.ans", conf.ansi_path, i);
snprintf(buffer, sizeof buffer, "%s/bulletin%d.ans", conf.ansi_path, i);
while (stat(buffer, &s) == 0) {
s_printf("\e[2J\e[1;1H");
s_displayansi_pause(buffer, 1);
@ -27,7 +26,7 @@ void display_bulletins() {
s_getc();
s_printf("\r\n");
i++;
sprintf(buffer, "%s/bulletin%d.ans", conf.ansi_path, i);
snprintf(buffer, sizeof buffer, "%s/bulletin%d.ans", conf.ansi_path, i);
}
}

2
src/www_email.c
View File

@ -25,7 +25,7 @@ int www_email_delete(struct user_record *user, int id) {
char *dsql = "DELETE FROM email WHERE id=? AND recipient LIKE ?";
char *err_msg = 0;
sprintf(buffer, "%s/email.sq3", conf.bbs_path);
snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
rc = sqlite3_open(buffer, &db);
if (rc != SQLITE_OK) {