From 7bf6e05170a355da9f0a631517284f5159a79c13 Mon Sep 17 00:00:00 2001
From: Dan Cross <patchdev@fat-dragon.org>
Date: Fri, 12 Oct 2018 20:30:24 +0000
Subject: [PATCH] Fix a buffer overflow in bluewave.c.

strcat()'ing a string onto the result of file2str()
will result in a buffer overflow, since file2str()
only allocates enough memory to hold the contents of
the file (plus a NUL terminator).  This happend in
`bluewave.c`.

Instead, use `file2stralloc` to read the contents of
that file into a stralloc, which we can stralloc_cats
onto without fear of overflow.

Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
---
 src/bluewave.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/src/bluewave.c b/src/bluewave.c
index fc0c696..83fb5c5 100644
--- a/src/bluewave.c
+++ b/src/bluewave.c
@@ -778,6 +778,7 @@ void bwave_upload_reply() {
 	int area;
 	tWORD msg_attr;
 	struct fido_addr addr;
+	stralloc sa = EMPTY_STRALLOC;
 	char *body;
 	char *tagline;
 	struct stat s;
@@ -1053,20 +1054,20 @@ void bwave_upload_reply() {
 						snprintf(originlinebuffer, 256, "\r");
 					}
 
-					body = file2str(msgbuffer);
-					if (body == NULL) {
+					sa = file2stralloc(msgbuffer);
+					if (sa.s == NULL) {
 						continue;
 					}
+					stralloc_cats(&sa, originlinebuffer);
+					stralloc_0(&sa);
+					body = sa.s;
+					char *p, *s;
 
-					strcat(body, originlinebuffer);
-
-					bpos = 0;
-					for (i = 0; i < strlen(body); i++) {
-						if (body[i] != '\n') {
-							body[bpos++] = body[i];
-						}
+					for (p = s = body; *p != '\0'; ++p) {
+						if (*p != '\n')
+							*s++ = *p;
 					}
-					body[bpos] = '\0';
+					*s = '\0';
 
 					if (bwave_add_message(confr, area, convertl(upl_rec.unix_date), upl_rec.to, upl_rec.subj, &addr, body) != 0) {
 						// failed to add message