sprintf() is unsafe since it may overflow the bounds
of its destination buffers. Remove the last of the
calls to it; all the logic has either been rewritten
to use snprintf() or other forms of string copying
such as strlcpy().
Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
This is the big push to get rid of the last of the
unadorned dynamic arrays. Use ptr_vectors for things
like mail conferences etc.
Lots of incidental cleanup along the way.
Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
I think this is correct. The code, both before and
after, doesn't appear to NUL-terminate its output.
Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
This started with using bounded operations on strings,
and morphed to introducing a utility function to open
the USERS SQLite3 database and then a general cleanup.
This needs testing.
Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
sprintf() was being used to copy a string constant with
no formatting verbs; just use strlcpy() instead.
Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
Note that the calls to strncat() did not account for the
NUL terminating byte, and for very long queries could have
led to a buffer overrun.
Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
In the course of removing calls to realloc(), change
the menu parsing and use logic to use ptr_vector's
directly.
This also fixes some detects menu issues in parsing
and avoids e.g. writing to a bad pointer (or should;
of course it needs testing...).
Finally, free menu state on return from the menu_system
function. There was a comment here to do that, but it
didn't appear to be done.
Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
The poorly named `strncpy` was originally written to
copy data into fixed-sized, disk-resident data structures
in an early version of the research Unix kernel. Thus, it
has peculiar semantics: it takes source and destination
pointer arguments and a length and will *always* modify
exactly `length` bytes in the destination buffer. If
the length of the source (which is presumed to be a
NUL-terminated C-stylestring) is `length` or more chars
long, then the result will not be NUL terminated. If it
is less than `length` bytes long, then the result will be
padded with zeros up to `length`.
This is all well and good for storing a file name into a
fixed-width directory entry in 6th edition Unix, but it's
not useful as a general-purpose string utility.
Replaced with calls to strlcpy(), which always properly
terminates the destination but doesn't have the additional
zeroing behavior. Since the buffers that we're copying
into were allocated with malloz(), and thus are guaranteed
to be filled with zeros, we're not leaking data, but not
double-zeroing either.
A few other things were changed. Lengths of destination
buffers are now given via `sizeof` instead of manifest
constants. One call to `memcpy` took the length from the
size of the source argument, thus possibly writing beyond
the end of the destination buffer. Changed to a call to
strlcpy() with length the sizeof destination.
Signed-off-by: Dan Cross <patchdev@fat-dragon.org>
