[mw-devel] [Git][arthur/mw][master] Fix two buffer overflows

Mon Jan 23 14:30:55 GMT 2017

Andrew Price pushed to branch master at Justin Mitchell / mw


Commits:
abc00bd1 by Andrew Price at 2017-01-23T14:28:07+00:00
Fix two buffer overflows

1. incoming_pipe is -1 in idle() when a new user runs mw with autochat
2. When ls() tries to write too many chars into a SUBJECTSIZE+1-char
   buffer.

Fixes #24

- - - - -


2 changed files:

- src/client/main.c
- src/client/read.c


Changes:

=====================================
src/client/main.c
=====================================

--- a/src/client/main.c
+++ b/src/client/main.c
@@ -966,8 +966,10 @@ int idle(int fd, int millis)
 	int incoming_pipe = ipc_getfd();
 	FD_ZERO(&readfds);
 	FD_ZERO(&exceptfds);
-	FD_SET(incoming_pipe, &readfds);
-	FD_SET(incoming_pipe, &exceptfds);
+	if (incoming_pipe >= 0) {
+		FD_SET(incoming_pipe, &readfds);
+		FD_SET(incoming_pipe, &exceptfds);
+	}
 	if (fd >= 0)
 	{
 		FD_SET(fd, &readfds);
@@ -986,7 +988,7 @@ int idle(int fd, int millis)
 	select_error = errno;
 	if (fd >= 0) fcntl(fd, F_SETFL, fl);
 	if (nfds > 0) {
-		if (FD_ISSET(incoming_pipe, &exceptfds)) {
+		if (incoming_pipe >= 0 && FD_ISSET(incoming_pipe, &exceptfds)) {
 			fprintf(stderr, _("\nError reading incoming message pipe. panic.\n"));
 			return -1;
 		}
@@ -994,7 +996,7 @@ int idle(int fd, int millis)
 			fprintf(stderr, _("\nError on input terminal, argh.\n"));
 			return -1;
 		}
-		if (FD_ISSET(incoming_pipe, &readfds))
+		if (incoming_pipe >= 0 && FD_ISSET(incoming_pipe, &readfds))
 		       handle_mesg();
 	}
 	in_idle--;


=====================================
src/client/read.c
=====================================
--- a/src/client/read.c
+++ b/src/client/read.c
@@ -166,7 +166,6 @@ void ls(int folnum, struct user *user, int many)
 	int afile;
 	struct folder fold;
 	struct Header head;
-	char buff[SUBJECTSIZE+1];
 	int linecount=0;
 	int listpoint;
 	int screen_height = screen_h();
@@ -198,17 +197,10 @@ void ls(int folnum, struct user *user, int many)
 		(is_private(&fold, user) && (stringcmp(head.from, user->record.name, -1)
 		      || stringcmp(head.to, user->record.name, -1))))) /*marked for deletion*/
 		{
-			strncpy(buff,head.to,NAMESIZE);
-			buff[NAMESIZE]=0;
-			printf("%4d  %*s -> %*s  ",
-			head.Ref,NAMESIZE,head.from,NAMESIZE,buff);
-			if (strlen(head.subject)>40)
-			{
-				strncpy(buff,head.subject,37);
-				strcat(buff,"...");
-			}else
-				strcpy(buff,head.subject);
-			printf("%s\n",buff);
+			printf("%4d  %*s -> %*s  ", head.Ref,
+			       NAMESIZE, head.from,
+			       NAMESIZE, head.to);
+			printf("%.*s\n", SUBJECTSIZE, head.subject);
 			linecount++;
 			if (linecount>=(screen_height-1))
 			{



View it on GitLab: https://projects.sucs.org/arthur/mw/commit/abc00bd1982f66568c5c63c6b6cd20c481bab90e
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sucs.org/pipermail/mw-devel/attachments/20170123/399ed22d/attachment-0001.html>
