Remove the last of the sprintf() calls.

sprintf() is unsafe since it may overflow the bounds
of its destination buffers.  Remove the last of the
calls to it; all the logic has either been rewritten
to use snprintf() or other forms of string copying
such as strlcpy().

Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
This commit is contained in:
Dan Cross 2018-10-16 15:05:16 +00:00 committed by Andrew Pamment
parent aacb1000c8
commit 359a190ee9
8 changed files with 61 additions and 62 deletions

View File

@ -248,7 +248,8 @@ void s_putchar(char c) {
ic = iconv_open("UTF-8", "CP437"); ic = iconv_open("UTF-8", "CP437");
inbuf = (char *)malloz(4); inbuf = (char *)malloz(4);
outbuf = (char *)malloz(4); outbuf = (char *)malloz(4);
sprintf(inbuf, "%c", c); inbuf[0] = c;
inbuf[1] = '\0';
inc = 1; inc = 1;
ouc = 4; ouc = 4;
ptr1 = outbuf; ptr1 = outbuf;
@ -392,7 +393,7 @@ void s_displayansi(char *file) {
char buffer[256]; char buffer[256];
if (strchr(file, '/') == NULL) { if (strchr(file, '/') == NULL) {
sprintf(buffer, "%s/%s.ans", conf.ansi_path, file); snprintf(buffer, sizeof buffer, "%s/%s.ans", conf.ansi_path, file);
s_displayansi_pause(buffer, 0); s_displayansi_pause(buffer, 0);
} else { } else {
s_displayansi_pause(file, 0); s_displayansi_pause(file, 0);
@ -919,7 +920,7 @@ void runbbs_real(int socket, char *ip, int ssh) {
// find out which node we are // find out which node we are
for (i = 1; i <= conf.nodes; i++) { for (i = 1; i <= conf.nodes; i++) {
sprintf(buffer, "%s/nodeinuse.%d", conf.bbs_path, i); snprintf(buffer, sizeof buffer, "%s/nodeinuse.%d", conf.bbs_path, i);
if (stat(buffer, &s) != 0) { if (stat(buffer, &s) != 0) {
mynode = i; mynode = i;

View File

@ -401,7 +401,7 @@ void chat_system(struct user_record *user) {
} else { } else {
input_b = encapsulate_quote(inputbuffer); input_b = encapsulate_quote(inputbuffer);
raw("{ \"bbs\": \"%s\", \"nick\": \"%s\", \"msg\": \"%s\" }\n", conf.mgchat_bbstag, user->loginname, input_b); raw("{ \"bbs\": \"%s\", \"nick\": \"%s\", \"msg\": \"%s\" }\n", conf.mgchat_bbstag, user->loginname, input_b);
sprintf(buffer2, "|08(|13%s|08)[|11%s|08]: |07%s", conf.mgchat_bbstag, user->loginname, input_b); snprintf(buffer2, sizeof buffer2, "|08(|13%s|08)[|11%s|08]: |07%s", conf.mgchat_bbstag, user->loginname, input_b);
free(input_b); free(input_b);
append_screenbuffer(buffer2); append_screenbuffer(buffer2);
do_update = 1; do_update = 1;
@ -454,15 +454,21 @@ void chat_system(struct user_record *user) {
} else { } else {
for (j = 1; j < r; j++) { for (j = 1; j < r; j++) {
if (jsoneq(message, &tokens[j], "bbs") == 0) { if (jsoneq(message, &tokens[j], "bbs") == 0) {
sprintf(msg.bbstag, "%.*s", tokens[j + 1].end - tokens[j + 1].start, message + tokens[j + 1].start); snprintf(msg.bbstag, sizeof msg.bbstag, "%.*s",
tokens[j + 1].end - tokens[j + 1].start,
message + tokens[j + 1].start);
j++; j++;
} }
if (jsoneq(message, &tokens[j], "nick") == 0) { if (jsoneq(message, &tokens[j], "nick") == 0) {
sprintf(msg.nick, "%.*s", tokens[j + 1].end - tokens[j + 1].start, message + tokens[j + 1].start); snprintf(msg.nick, sizeof msg.nick, "%.*s",
tokens[j + 1].end - tokens[j + 1].start,
message + tokens[j + 1].start);
j++; j++;
} }
if (jsoneq(message, &tokens[j], "msg") == 0) { if (jsoneq(message, &tokens[j], "msg") == 0) {
sprintf(msg.msg, "%.*s", tokens[j + 1].end - tokens[j + 1].start, message + tokens[j + 1].start); snprintf(msg.msg, sizeof msg.msg, "%.*s",
tokens[j + 1].end - tokens[j + 1].start,
message + tokens[j + 1].start);
j++; j++;
} }
} }

View File

@ -51,7 +51,7 @@ int write_door32sys(struct user_record *user) {
char *ptr; char *ptr;
int i; int i;
sprintf(buffer, "%s/node%d", conf.bbs_path, mynode); snprintf(buffer, sizeof buffer, "%s/node%d", conf.bbs_path, mynode);
if (stat(buffer, &s) != 0) { if (stat(buffer, &s) != 0) {
mkdir(buffer, 0755); mkdir(buffer, 0755);
@ -82,7 +82,7 @@ int write_door32sys(struct user_record *user) {
// create dorinfo1.def // create dorinfo1.def
sprintf(buffer, "%s/node%d/dorinfo1.def", conf.bbs_path, mynode); snprintf(buffer, sizeof buffer, "%s/node%d/dorinfo1.def", conf.bbs_path, mynode);
fptr = fopen(buffer, "w"); fptr = fopen(buffer, "w");
@ -125,7 +125,7 @@ int write_door32sys(struct user_record *user) {
// create door.sys // create door.sys
sprintf(buffer, "%s/node%d/door.sys", conf.bbs_path, mynode); snprintf(buffer, sizeof buffer, "%s/node%d/door.sys", conf.bbs_path, mynode);
fptr = fopen(buffer, "w"); fptr = fopen(buffer, "w");
@ -203,9 +203,9 @@ void rundoor(struct user_record *user, char *cmd, int stdio, char *codepage) {
door_out = gSocket; door_out = gSocket;
} }
arguments[0] = strdup(cmd); arguments[0] = strdup(cmd);
sprintf(buffer, "%d", mynode); snprintf(buffer, sizeof buffer, "%d", mynode);
arguments[1] = strdup(buffer); arguments[1] = strdup(buffer);
sprintf(buffer, "%d", door_out); snprintf(buffer, sizeof buffer, "%d", door_out);
arguments[2] = strdup(buffer); arguments[2] = strdup(buffer);
arguments[3] = NULL; arguments[3] = NULL;

View File

@ -149,7 +149,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
s_printf(get_string(57), emails[msgno]->from); s_printf(get_string(57), emails[msgno]->from);
s_printf(get_string(58), emails[msgno]->subject); s_printf(get_string(58), emails[msgno]->subject);
localtime_r(&emails[msgno]->date, &msg_date); localtime_r(&emails[msgno]->date, &msg_date);
sprintf(buffer, "%s", asctime(&msg_date)); strlcpy(buffer, asctime(&msg_date), sizeof buffer);
buffer[strlen(buffer) - 1] = '\0'; buffer[strlen(buffer) - 1] = '\0';
s_printf(get_string(59), buffer); s_printf(get_string(59), buffer);
s_printf(get_string(60)); s_printf(get_string(60));
@ -243,7 +243,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
free(msg_lines); free(msg_lines);
msg_line_count = 0; msg_line_count = 0;
sprintf(buffer, "%s/email.sq3", conf.bbs_path); snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
rc = sqlite3_open(buffer, &db); rc = sqlite3_open(buffer, &db);
@ -281,7 +281,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
replybody = external_editor(user, user->loginname, emails[msgno]->from, emails[msgno]->body, strlen(emails[msgno]->body), emails[msgno]->from, subject, 1, 0); replybody = external_editor(user, user->loginname, emails[msgno]->from, emails[msgno]->body, strlen(emails[msgno]->body), emails[msgno]->from, subject, 1, 0);
if (replybody != NULL) { if (replybody != NULL) {
sprintf(buffer, "%s/email.sq3", conf.bbs_path); snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
rc = sqlite3_open(buffer, &db); rc = sqlite3_open(buffer, &db);
if (rc != SQLITE_OK) { if (rc != SQLITE_OK) {
@ -315,7 +315,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
} }
free(subject); free(subject);
} else if (tolower(c) == 'd') { } else if (tolower(c) == 'd') {
sprintf(buffer, "%s/email.sq3", conf.bbs_path); snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
rc = sqlite3_open(buffer, &db); rc = sqlite3_open(buffer, &db);
if (rc != SQLITE_OK) { if (rc != SQLITE_OK) {
@ -620,7 +620,7 @@ int mail_getemailcount(struct user_record *user) {
sqlite3_stmt *res; sqlite3_stmt *res;
int rc; int rc;
sprintf(buffer, "%s/email.sq3", conf.bbs_path); snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
rc = sqlite3_open(buffer, &db); rc = sqlite3_open(buffer, &db);

View File

@ -444,16 +444,11 @@ char *get_file_id_diz(char *filename) {
} }
} }
bpos = 0; char *b = description;
len = strlen(description); for (char *p = description; p != '\0'; ++p)
for (i = 0; i < len; i++) { if (*p != '\r')
if (description[i] == '\r') { *b++ = *p;
continue; *b = '\0';
} else {
description[bpos++] = description[i];
}
}
description[bpos] = '\0';
snprintf(buffer, sizeof buffer, "%s/node%d/temp", conf.bbs_path, mynode); snprintf(buffer, sizeof buffer, "%s/node%d/temp", conf.bbs_path, mynode);
recursive_delete(buffer); recursive_delete(buffer);
@ -495,34 +490,31 @@ int do_download(struct user_record *user, char *file) {
} }
return 1; return 1;
} else { } else {
bpos = 0; char *b = download_command;
for (i = 0; i < strlen(defproto->download); i++) { size_t blen = sizeof download_command;
if (defproto->download[i] == '*') { for (const char *p = defproto->download; *p != '\0' && blen > 1; ++p) {
i++; if (*p == '*') {
if (defproto->download[i] == '*') { *b++ = '*';
download_command[bpos++] = defproto->download[i]; --blen;
download_command[bpos] = '\0';
continue; continue;
} else if (defproto->download[i] == 'f') { }
sprintf(&download_command[bpos], "%s", file); p++;
bpos = strlen(download_command); size_t alen = 0;
if (*p == 'f') {
continue; strlcpy(b, file, blen);
} else if (defproto->download[i] == 's') { alen = strlen(b);
if (!sshBBS) { } else if (*p == 's') {
sprintf(&download_command[bpos], "%d", gSocket); if (sshBBS) {
bpos = strlen(download_command);
} else {
s_printf(get_string(209), defproto->name); s_printf(get_string(209), defproto->name);
return 0; return 0;
} }
snprintf(b, blen, "%d", gSocket);
alen = strlen(b);
} }
b += alen;
} else { blen -= alen;
download_command[bpos++] = defproto->download[i];
download_command[bpos] = '\0';
}
} }
*b = '\0';
argc = 1; argc = 1;
last_char_space = 0; last_char_space = 0;
for (i = 0; i < strlen(download_command); i++) { for (i = 0; i < strlen(download_command); i++) {
@ -596,7 +588,6 @@ int do_upload(struct user_record *user, char *final_path) {
timeoutpaused = 0; timeoutpaused = 0;
return 1; return 1;
} else { } else {
if (defproto->upload_prompt) { if (defproto->upload_prompt) {
s_printf(get_string(210)); s_printf(get_string(210));
s_readstring(buffer3, 256); s_readstring(buffer3, 256);
@ -612,13 +603,15 @@ int do_upload(struct user_record *user, char *final_path) {
continue; continue;
} else if (defproto->upload[i] == 'f') { } else if (defproto->upload[i] == 'f') {
if (defproto->upload_prompt) { if (defproto->upload_prompt) {
sprintf(&upload_command[bpos], "%s", buffer3); size_t blen = sizeof(upload_command) - bpos;
strlcpy(upload_command + bpos, buffer3, blen);
bpos = strlen(upload_command); bpos = strlen(upload_command);
} }
continue; continue;
} else if (defproto->upload[i] == 's') { } else if (defproto->upload[i] == 's') {
if (!sshBBS) { if (!sshBBS) {
sprintf(&upload_command[bpos], "%d", gSocket); size_t blen = sizeof(upload_command) - bpos;
snprintf(upload_command + bpos, blen, "%d", gSocket);
bpos = strlen(upload_command); bpos = strlen(upload_command);
} else { } else {
s_printf(get_string(209), defproto->name); s_printf(get_string(209), defproto->name);

View File

@ -57,7 +57,7 @@ int l_bbsDisplayAnsiPause(lua_State *L) {
char buffer[256]; char buffer[256];
if (strchr(str, '/') == NULL) { if (strchr(str, '/') == NULL) {
sprintf(buffer, "%s/%s.ans", conf.ansi_path, str); snprintf(buffer, sizeof buffer, "%s/%s.ans", conf.ansi_path, str);
s_displayansi_pause(buffer, 1); s_displayansi_pause(buffer, 1);
} else { } else {
s_displayansi_pause(str, 1); s_displayansi_pause(str, 1);
@ -443,7 +443,7 @@ int l_postMessage(lua_State *L) {
JAM_PutSubfield(jsp, &jsf); JAM_PutSubfield(jsp, &jsf);
if (ma->type == TYPE_NEWSGROUP_AREA) { if (ma->type == TYPE_NEWSGROUP_AREA) {
sprintf(buffer, "ALL"); strlcpy(buffer, "ALL", sizeof buffer);
jsf.LoID = JAMSFLD_RECVRNAME; jsf.LoID = JAMSFLD_RECVRNAME;
jsf.HiID = 0; jsf.HiID = 0;
jsf.DatLen = strlen(buffer); jsf.DatLen = strlen(buffer);

View File

@ -18,8 +18,7 @@ void display_bulletins() {
struct stat s; struct stat s;
i = 0; i = 0;
sprintf(buffer, "%s/bulletin%d.ans", conf.ansi_path, i); snprintf(buffer, sizeof buffer, "%s/bulletin%d.ans", conf.ansi_path, i);
while (stat(buffer, &s) == 0) { while (stat(buffer, &s) == 0) {
s_printf("\e[2J\e[1;1H"); s_printf("\e[2J\e[1;1H");
s_displayansi_pause(buffer, 1); s_displayansi_pause(buffer, 1);
@ -27,7 +26,7 @@ void display_bulletins() {
s_getc(); s_getc();
s_printf("\r\n"); s_printf("\r\n");
i++; i++;
sprintf(buffer, "%s/bulletin%d.ans", conf.ansi_path, i); snprintf(buffer, sizeof buffer, "%s/bulletin%d.ans", conf.ansi_path, i);
} }
} }

View File

@ -25,7 +25,7 @@ int www_email_delete(struct user_record *user, int id) {
char *dsql = "DELETE FROM email WHERE id=? AND recipient LIKE ?"; char *dsql = "DELETE FROM email WHERE id=? AND recipient LIKE ?";
char *err_msg = 0; char *err_msg = 0;
sprintf(buffer, "%s/email.sq3", conf.bbs_path); snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
rc = sqlite3_open(buffer, &db); rc = sqlite3_open(buffer, &db);
if (rc != SQLITE_OK) { if (rc != SQLITE_OK) {