Fix a buffer overflow in bluewave.c.
strcat()'ing a string onto the result of file2str() will result in a buffer overflow, since file2str() only allocates enough memory to hold the contents of the file (plus a NUL terminator). This happend in `bluewave.c`. Instead, use `file2stralloc` to read the contents of that file into a stralloc, which we can stralloc_cats onto without fear of overflow. Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
This commit is contained in:
Dan Cross
Andrew Pamment
parent
aba49d7a20
commit
7bf6e05170
@ -778,6 +778,7 @@ void bwave_upload_reply() {
|
||||
int area;
|
||||
tWORD msg_attr;
|
||||
struct fido_addr addr;
|
||||
stralloc sa = EMPTY_STRALLOC;
|
||||
char *body;
|
||||
char *tagline;
|
||||
struct stat s;
|
||||
@ -1053,20 +1054,20 @@ void bwave_upload_reply() {
|
||||
snprintf(originlinebuffer, 256, "\r");
|
||||
}
|
||||
|
||||
body = file2str(msgbuffer);
|
||||
if (body == NULL) {
|
||||
sa = file2stralloc(msgbuffer);
|
||||
if (sa.s == NULL) {
|
||||
continue;
|
||||
}
|
||||
stralloc_cats(&sa, originlinebuffer);
|
||||
stralloc_0(&sa);
|
||||
body = sa.s;
|
||||
char *p, *s;
|
||||
|
||||
strcat(body, originlinebuffer);
|
||||
|
||||
bpos = 0;
|
||||
for (i = 0; i < strlen(body); i++) {
|
||||
if (body[i] != '\n') {
|
||||
body[bpos++] = body[i];
|
||||
}
|
||||
for (p = s = body; *p != '\0'; ++p) {
|
||||
if (*p != '\n')
|
||||
*s++ = *p;
|
||||
}
|
||||
body[bpos] = '\0';
|
||||
*s = '\0';
|
||||
|
||||
if (bwave_add_message(confr, area, convertl(upl_rec.unix_date), upl_rec.to, upl_rec.subj, &addr, body) != 0) {
|
||||
// failed to add message
|
||||
|
||||
Reference in New Issue
Block a user