Remove the last of the sprintf() calls.
sprintf() is unsafe since it may overflow the bounds of its destination buffers. Remove the last of the calls to it; all the logic has either been rewritten to use snprintf() or other forms of string copying such as strlcpy(). Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
This commit is contained in:
parent
aacb1000c8
commit
359a190ee9
@ -248,7 +248,8 @@ void s_putchar(char c) {
|
|||||||
ic = iconv_open("UTF-8", "CP437");
|
ic = iconv_open("UTF-8", "CP437");
|
||||||
inbuf = (char *)malloz(4);
|
inbuf = (char *)malloz(4);
|
||||||
outbuf = (char *)malloz(4);
|
outbuf = (char *)malloz(4);
|
||||||
sprintf(inbuf, "%c", c);
|
inbuf[0] = c;
|
||||||
|
inbuf[1] = '\0';
|
||||||
inc = 1;
|
inc = 1;
|
||||||
ouc = 4;
|
ouc = 4;
|
||||||
ptr1 = outbuf;
|
ptr1 = outbuf;
|
||||||
@ -392,7 +393,7 @@ void s_displayansi(char *file) {
|
|||||||
char buffer[256];
|
char buffer[256];
|
||||||
|
|
||||||
if (strchr(file, '/') == NULL) {
|
if (strchr(file, '/') == NULL) {
|
||||||
sprintf(buffer, "%s/%s.ans", conf.ansi_path, file);
|
snprintf(buffer, sizeof buffer, "%s/%s.ans", conf.ansi_path, file);
|
||||||
s_displayansi_pause(buffer, 0);
|
s_displayansi_pause(buffer, 0);
|
||||||
} else {
|
} else {
|
||||||
s_displayansi_pause(file, 0);
|
s_displayansi_pause(file, 0);
|
||||||
@ -919,7 +920,7 @@ void runbbs_real(int socket, char *ip, int ssh) {
|
|||||||
|
|
||||||
// find out which node we are
|
// find out which node we are
|
||||||
for (i = 1; i <= conf.nodes; i++) {
|
for (i = 1; i <= conf.nodes; i++) {
|
||||||
sprintf(buffer, "%s/nodeinuse.%d", conf.bbs_path, i);
|
snprintf(buffer, sizeof buffer, "%s/nodeinuse.%d", conf.bbs_path, i);
|
||||||
|
|
||||||
if (stat(buffer, &s) != 0) {
|
if (stat(buffer, &s) != 0) {
|
||||||
mynode = i;
|
mynode = i;
|
||||||
|
@ -401,7 +401,7 @@ void chat_system(struct user_record *user) {
|
|||||||
} else {
|
} else {
|
||||||
input_b = encapsulate_quote(inputbuffer);
|
input_b = encapsulate_quote(inputbuffer);
|
||||||
raw("{ \"bbs\": \"%s\", \"nick\": \"%s\", \"msg\": \"%s\" }\n", conf.mgchat_bbstag, user->loginname, input_b);
|
raw("{ \"bbs\": \"%s\", \"nick\": \"%s\", \"msg\": \"%s\" }\n", conf.mgchat_bbstag, user->loginname, input_b);
|
||||||
sprintf(buffer2, "|08(|13%s|08)[|11%s|08]: |07%s", conf.mgchat_bbstag, user->loginname, input_b);
|
snprintf(buffer2, sizeof buffer2, "|08(|13%s|08)[|11%s|08]: |07%s", conf.mgchat_bbstag, user->loginname, input_b);
|
||||||
free(input_b);
|
free(input_b);
|
||||||
append_screenbuffer(buffer2);
|
append_screenbuffer(buffer2);
|
||||||
do_update = 1;
|
do_update = 1;
|
||||||
@ -454,15 +454,21 @@ void chat_system(struct user_record *user) {
|
|||||||
} else {
|
} else {
|
||||||
for (j = 1; j < r; j++) {
|
for (j = 1; j < r; j++) {
|
||||||
if (jsoneq(message, &tokens[j], "bbs") == 0) {
|
if (jsoneq(message, &tokens[j], "bbs") == 0) {
|
||||||
sprintf(msg.bbstag, "%.*s", tokens[j + 1].end - tokens[j + 1].start, message + tokens[j + 1].start);
|
snprintf(msg.bbstag, sizeof msg.bbstag, "%.*s",
|
||||||
|
tokens[j + 1].end - tokens[j + 1].start,
|
||||||
|
message + tokens[j + 1].start);
|
||||||
j++;
|
j++;
|
||||||
}
|
}
|
||||||
if (jsoneq(message, &tokens[j], "nick") == 0) {
|
if (jsoneq(message, &tokens[j], "nick") == 0) {
|
||||||
sprintf(msg.nick, "%.*s", tokens[j + 1].end - tokens[j + 1].start, message + tokens[j + 1].start);
|
snprintf(msg.nick, sizeof msg.nick, "%.*s",
|
||||||
|
tokens[j + 1].end - tokens[j + 1].start,
|
||||||
|
message + tokens[j + 1].start);
|
||||||
j++;
|
j++;
|
||||||
}
|
}
|
||||||
if (jsoneq(message, &tokens[j], "msg") == 0) {
|
if (jsoneq(message, &tokens[j], "msg") == 0) {
|
||||||
sprintf(msg.msg, "%.*s", tokens[j + 1].end - tokens[j + 1].start, message + tokens[j + 1].start);
|
snprintf(msg.msg, sizeof msg.msg, "%.*s",
|
||||||
|
tokens[j + 1].end - tokens[j + 1].start,
|
||||||
|
message + tokens[j + 1].start);
|
||||||
j++;
|
j++;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
10
src/doors.c
10
src/doors.c
@ -51,7 +51,7 @@ int write_door32sys(struct user_record *user) {
|
|||||||
char *ptr;
|
char *ptr;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
sprintf(buffer, "%s/node%d", conf.bbs_path, mynode);
|
snprintf(buffer, sizeof buffer, "%s/node%d", conf.bbs_path, mynode);
|
||||||
|
|
||||||
if (stat(buffer, &s) != 0) {
|
if (stat(buffer, &s) != 0) {
|
||||||
mkdir(buffer, 0755);
|
mkdir(buffer, 0755);
|
||||||
@ -82,7 +82,7 @@ int write_door32sys(struct user_record *user) {
|
|||||||
|
|
||||||
// create dorinfo1.def
|
// create dorinfo1.def
|
||||||
|
|
||||||
sprintf(buffer, "%s/node%d/dorinfo1.def", conf.bbs_path, mynode);
|
snprintf(buffer, sizeof buffer, "%s/node%d/dorinfo1.def", conf.bbs_path, mynode);
|
||||||
|
|
||||||
fptr = fopen(buffer, "w");
|
fptr = fopen(buffer, "w");
|
||||||
|
|
||||||
@ -125,7 +125,7 @@ int write_door32sys(struct user_record *user) {
|
|||||||
|
|
||||||
// create door.sys
|
// create door.sys
|
||||||
|
|
||||||
sprintf(buffer, "%s/node%d/door.sys", conf.bbs_path, mynode);
|
snprintf(buffer, sizeof buffer, "%s/node%d/door.sys", conf.bbs_path, mynode);
|
||||||
|
|
||||||
fptr = fopen(buffer, "w");
|
fptr = fopen(buffer, "w");
|
||||||
|
|
||||||
@ -203,9 +203,9 @@ void rundoor(struct user_record *user, char *cmd, int stdio, char *codepage) {
|
|||||||
door_out = gSocket;
|
door_out = gSocket;
|
||||||
}
|
}
|
||||||
arguments[0] = strdup(cmd);
|
arguments[0] = strdup(cmd);
|
||||||
sprintf(buffer, "%d", mynode);
|
snprintf(buffer, sizeof buffer, "%d", mynode);
|
||||||
arguments[1] = strdup(buffer);
|
arguments[1] = strdup(buffer);
|
||||||
sprintf(buffer, "%d", door_out);
|
snprintf(buffer, sizeof buffer, "%d", door_out);
|
||||||
arguments[2] = strdup(buffer);
|
arguments[2] = strdup(buffer);
|
||||||
arguments[3] = NULL;
|
arguments[3] = NULL;
|
||||||
|
|
||||||
|
10
src/email.c
10
src/email.c
@ -149,7 +149,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
|
|||||||
s_printf(get_string(57), emails[msgno]->from);
|
s_printf(get_string(57), emails[msgno]->from);
|
||||||
s_printf(get_string(58), emails[msgno]->subject);
|
s_printf(get_string(58), emails[msgno]->subject);
|
||||||
localtime_r(&emails[msgno]->date, &msg_date);
|
localtime_r(&emails[msgno]->date, &msg_date);
|
||||||
sprintf(buffer, "%s", asctime(&msg_date));
|
strlcpy(buffer, asctime(&msg_date), sizeof buffer);
|
||||||
buffer[strlen(buffer) - 1] = '\0';
|
buffer[strlen(buffer) - 1] = '\0';
|
||||||
s_printf(get_string(59), buffer);
|
s_printf(get_string(59), buffer);
|
||||||
s_printf(get_string(60));
|
s_printf(get_string(60));
|
||||||
@ -243,7 +243,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
|
|||||||
free(msg_lines);
|
free(msg_lines);
|
||||||
msg_line_count = 0;
|
msg_line_count = 0;
|
||||||
|
|
||||||
sprintf(buffer, "%s/email.sq3", conf.bbs_path);
|
snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
|
||||||
|
|
||||||
rc = sqlite3_open(buffer, &db);
|
rc = sqlite3_open(buffer, &db);
|
||||||
|
|
||||||
@ -281,7 +281,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
|
|||||||
|
|
||||||
replybody = external_editor(user, user->loginname, emails[msgno]->from, emails[msgno]->body, strlen(emails[msgno]->body), emails[msgno]->from, subject, 1, 0);
|
replybody = external_editor(user, user->loginname, emails[msgno]->from, emails[msgno]->body, strlen(emails[msgno]->body), emails[msgno]->from, subject, 1, 0);
|
||||||
if (replybody != NULL) {
|
if (replybody != NULL) {
|
||||||
sprintf(buffer, "%s/email.sq3", conf.bbs_path);
|
snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
|
||||||
|
|
||||||
rc = sqlite3_open(buffer, &db);
|
rc = sqlite3_open(buffer, &db);
|
||||||
if (rc != SQLITE_OK) {
|
if (rc != SQLITE_OK) {
|
||||||
@ -315,7 +315,7 @@ void show_email(struct user_record *user, int msgno, int email_count, struct ema
|
|||||||
}
|
}
|
||||||
free(subject);
|
free(subject);
|
||||||
} else if (tolower(c) == 'd') {
|
} else if (tolower(c) == 'd') {
|
||||||
sprintf(buffer, "%s/email.sq3", conf.bbs_path);
|
snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
|
||||||
|
|
||||||
rc = sqlite3_open(buffer, &db);
|
rc = sqlite3_open(buffer, &db);
|
||||||
if (rc != SQLITE_OK) {
|
if (rc != SQLITE_OK) {
|
||||||
@ -620,7 +620,7 @@ int mail_getemailcount(struct user_record *user) {
|
|||||||
sqlite3_stmt *res;
|
sqlite3_stmt *res;
|
||||||
int rc;
|
int rc;
|
||||||
|
|
||||||
sprintf(buffer, "%s/email.sq3", conf.bbs_path);
|
snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
|
||||||
|
|
||||||
rc = sqlite3_open(buffer, &db);
|
rc = sqlite3_open(buffer, &db);
|
||||||
|
|
||||||
|
63
src/files.c
63
src/files.c
@ -444,16 +444,11 @@ char *get_file_id_diz(char *filename) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
bpos = 0;
|
char *b = description;
|
||||||
len = strlen(description);
|
for (char *p = description; p != '\0'; ++p)
|
||||||
for (i = 0; i < len; i++) {
|
if (*p != '\r')
|
||||||
if (description[i] == '\r') {
|
*b++ = *p;
|
||||||
continue;
|
*b = '\0';
|
||||||
} else {
|
|
||||||
description[bpos++] = description[i];
|
|
||||||
}
|
|
||||||
}
|
|
||||||
description[bpos] = '\0';
|
|
||||||
|
|
||||||
snprintf(buffer, sizeof buffer, "%s/node%d/temp", conf.bbs_path, mynode);
|
snprintf(buffer, sizeof buffer, "%s/node%d/temp", conf.bbs_path, mynode);
|
||||||
recursive_delete(buffer);
|
recursive_delete(buffer);
|
||||||
@ -495,34 +490,31 @@ int do_download(struct user_record *user, char *file) {
|
|||||||
}
|
}
|
||||||
return 1;
|
return 1;
|
||||||
} else {
|
} else {
|
||||||
bpos = 0;
|
char *b = download_command;
|
||||||
for (i = 0; i < strlen(defproto->download); i++) {
|
size_t blen = sizeof download_command;
|
||||||
if (defproto->download[i] == '*') {
|
for (const char *p = defproto->download; *p != '\0' && blen > 1; ++p) {
|
||||||
i++;
|
if (*p == '*') {
|
||||||
if (defproto->download[i] == '*') {
|
*b++ = '*';
|
||||||
download_command[bpos++] = defproto->download[i];
|
--blen;
|
||||||
download_command[bpos] = '\0';
|
|
||||||
continue;
|
continue;
|
||||||
} else if (defproto->download[i] == 'f') {
|
}
|
||||||
sprintf(&download_command[bpos], "%s", file);
|
p++;
|
||||||
bpos = strlen(download_command);
|
size_t alen = 0;
|
||||||
|
if (*p == 'f') {
|
||||||
continue;
|
strlcpy(b, file, blen);
|
||||||
} else if (defproto->download[i] == 's') {
|
alen = strlen(b);
|
||||||
if (!sshBBS) {
|
} else if (*p == 's') {
|
||||||
sprintf(&download_command[bpos], "%d", gSocket);
|
if (sshBBS) {
|
||||||
bpos = strlen(download_command);
|
|
||||||
} else {
|
|
||||||
s_printf(get_string(209), defproto->name);
|
s_printf(get_string(209), defproto->name);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
snprintf(b, blen, "%d", gSocket);
|
||||||
|
alen = strlen(b);
|
||||||
}
|
}
|
||||||
|
b += alen;
|
||||||
} else {
|
blen -= alen;
|
||||||
download_command[bpos++] = defproto->download[i];
|
|
||||||
download_command[bpos] = '\0';
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
*b = '\0';
|
||||||
argc = 1;
|
argc = 1;
|
||||||
last_char_space = 0;
|
last_char_space = 0;
|
||||||
for (i = 0; i < strlen(download_command); i++) {
|
for (i = 0; i < strlen(download_command); i++) {
|
||||||
@ -596,7 +588,6 @@ int do_upload(struct user_record *user, char *final_path) {
|
|||||||
timeoutpaused = 0;
|
timeoutpaused = 0;
|
||||||
return 1;
|
return 1;
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
if (defproto->upload_prompt) {
|
if (defproto->upload_prompt) {
|
||||||
s_printf(get_string(210));
|
s_printf(get_string(210));
|
||||||
s_readstring(buffer3, 256);
|
s_readstring(buffer3, 256);
|
||||||
@ -612,13 +603,15 @@ int do_upload(struct user_record *user, char *final_path) {
|
|||||||
continue;
|
continue;
|
||||||
} else if (defproto->upload[i] == 'f') {
|
} else if (defproto->upload[i] == 'f') {
|
||||||
if (defproto->upload_prompt) {
|
if (defproto->upload_prompt) {
|
||||||
sprintf(&upload_command[bpos], "%s", buffer3);
|
size_t blen = sizeof(upload_command) - bpos;
|
||||||
|
strlcpy(upload_command + bpos, buffer3, blen);
|
||||||
bpos = strlen(upload_command);
|
bpos = strlen(upload_command);
|
||||||
}
|
}
|
||||||
continue;
|
continue;
|
||||||
} else if (defproto->upload[i] == 's') {
|
} else if (defproto->upload[i] == 's') {
|
||||||
if (!sshBBS) {
|
if (!sshBBS) {
|
||||||
sprintf(&upload_command[bpos], "%d", gSocket);
|
size_t blen = sizeof(upload_command) - bpos;
|
||||||
|
snprintf(upload_command + bpos, blen, "%d", gSocket);
|
||||||
bpos = strlen(upload_command);
|
bpos = strlen(upload_command);
|
||||||
} else {
|
} else {
|
||||||
s_printf(get_string(209), defproto->name);
|
s_printf(get_string(209), defproto->name);
|
||||||
|
@ -57,7 +57,7 @@ int l_bbsDisplayAnsiPause(lua_State *L) {
|
|||||||
char buffer[256];
|
char buffer[256];
|
||||||
|
|
||||||
if (strchr(str, '/') == NULL) {
|
if (strchr(str, '/') == NULL) {
|
||||||
sprintf(buffer, "%s/%s.ans", conf.ansi_path, str);
|
snprintf(buffer, sizeof buffer, "%s/%s.ans", conf.ansi_path, str);
|
||||||
s_displayansi_pause(buffer, 1);
|
s_displayansi_pause(buffer, 1);
|
||||||
} else {
|
} else {
|
||||||
s_displayansi_pause(str, 1);
|
s_displayansi_pause(str, 1);
|
||||||
@ -443,7 +443,7 @@ int l_postMessage(lua_State *L) {
|
|||||||
JAM_PutSubfield(jsp, &jsf);
|
JAM_PutSubfield(jsp, &jsf);
|
||||||
|
|
||||||
if (ma->type == TYPE_NEWSGROUP_AREA) {
|
if (ma->type == TYPE_NEWSGROUP_AREA) {
|
||||||
sprintf(buffer, "ALL");
|
strlcpy(buffer, "ALL", sizeof buffer);
|
||||||
jsf.LoID = JAMSFLD_RECVRNAME;
|
jsf.LoID = JAMSFLD_RECVRNAME;
|
||||||
jsf.HiID = 0;
|
jsf.HiID = 0;
|
||||||
jsf.DatLen = strlen(buffer);
|
jsf.DatLen = strlen(buffer);
|
||||||
|
@ -18,8 +18,7 @@ void display_bulletins() {
|
|||||||
struct stat s;
|
struct stat s;
|
||||||
i = 0;
|
i = 0;
|
||||||
|
|
||||||
sprintf(buffer, "%s/bulletin%d.ans", conf.ansi_path, i);
|
snprintf(buffer, sizeof buffer, "%s/bulletin%d.ans", conf.ansi_path, i);
|
||||||
|
|
||||||
while (stat(buffer, &s) == 0) {
|
while (stat(buffer, &s) == 0) {
|
||||||
s_printf("\e[2J\e[1;1H");
|
s_printf("\e[2J\e[1;1H");
|
||||||
s_displayansi_pause(buffer, 1);
|
s_displayansi_pause(buffer, 1);
|
||||||
@ -27,7 +26,7 @@ void display_bulletins() {
|
|||||||
s_getc();
|
s_getc();
|
||||||
s_printf("\r\n");
|
s_printf("\r\n");
|
||||||
i++;
|
i++;
|
||||||
sprintf(buffer, "%s/bulletin%d.ans", conf.ansi_path, i);
|
snprintf(buffer, sizeof buffer, "%s/bulletin%d.ans", conf.ansi_path, i);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -25,7 +25,7 @@ int www_email_delete(struct user_record *user, int id) {
|
|||||||
char *dsql = "DELETE FROM email WHERE id=? AND recipient LIKE ?";
|
char *dsql = "DELETE FROM email WHERE id=? AND recipient LIKE ?";
|
||||||
char *err_msg = 0;
|
char *err_msg = 0;
|
||||||
|
|
||||||
sprintf(buffer, "%s/email.sq3", conf.bbs_path);
|
snprintf(buffer, sizeof buffer, "%s/email.sq3", conf.bbs_path);
|
||||||
|
|
||||||
rc = sqlite3_open(buffer, &db);
|
rc = sqlite3_open(buffer, &db);
|
||||||
if (rc != SQLITE_OK) {
|
if (rc != SQLITE_OK) {
|
||||||
|
Reference in New Issue
Block a user