Bugfix (buffer overflow) in sbbs_t::temp_xfer(). strcpy() of uninitialized

temp_uler string over-writes f.dir and other stuff. Man I can't wait to nuke this code! Blechy! Pew!

Bugfix (buffer overflow) in sbbs_t::temp_xfer(). strcpy() of uninitialized
27a554ee · rswindell · 9e883f9e · 27a554ee · 27a554ee
Commit 27a554ee authored 19 years ago by rswindell
--- a/src/sbbs3/filedat.c
+++ b/src/sbbs3/filedat.c
@@ -8,7 +8,7 @@
 * @format.tab-size 4		(Plain Text/Source Code File Header)			*
 * @format.use-tabs true	(see http://www.synchro.net/ptsc_hdr.html)		*
 *																			*
- * Copyright 2003 Rob Swindell - http://www.synchro.net/copyright.html		*
+ * Copyright 2005 Rob Swindell - http://www.synchro.net/copyright.html		*
 *																			*
 * This program is free software; you can redistribute it and/or			*
 * modify it under the terms of the GNU General Public License				*
@@ -48,7 +48,7 @@ BOOL DLLCALL getfiledat(scfg_t* cfg, file_t* f)
 	int file;
 	long length;

-	sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
+	SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
 	if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) {
 		return(FALSE); 
 	}
@@ -125,7 +125,7 @@ BOOL DLLCALL putfiledat(scfg_t* cfg, file_t* f)
 	buf[F_MISC]=f->misc+' ';
 	putrec(buf,F_ALTPATH,2,hexplus(f->altpath,tmp));
 	putrec(buf,F_ALTPATH+2,2,crlf);
-	sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
+	SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
 	if((file=sopen(str,O_WRONLY|O_BINARY,SH_DENYRW))==-1) {
 		return(FALSE); 
 	}
@@ -169,7 +169,7 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f)
 	/************************/
 	/* Add data to DAT File */
 	/************************/
-	sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
+	SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
 	if((file=sopen(str,O_RDWR|O_BINARY|O_CREAT,SH_DENYRW,S_IREAD|S_IWRITE))==-1) {
 		return(FALSE); 
 	}
@@ -221,7 +221,7 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f)
 	/*******************************************/
 	/* Update last upload date/time stamp file */
 	/*******************************************/
-	sprintf(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
+	SAFEPRINTF2(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
 	if((file=sopen(str,O_WRONLY|O_CREAT|O_BINARY,SH_DENYRW,S_IREAD|S_IWRITE))!=-1) {
 		now=time(NULL);
 		write(file,&now,4);
@@ -231,10 +231,10 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f)
 	/************************/
 	/* Add data to IXB File */
 	/************************/
-	strcpy(fname,f->name);
+	SAFECOPY(fname,f->name);
 	for(i=8;i<12;i++)   /* Turn FILENAME.EXT into FILENAMEEXT */
 		fname[i]=fname[i+1];
-	sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
+	SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
 	if((file=sopen(str,O_RDWR|O_CREAT|O_BINARY,SH_DENYRW,S_IREAD|S_IWRITE))==-1) {
 		return(FALSE); 
 	}
@@ -330,7 +330,7 @@ BOOL DLLCALL getfileixb(scfg_t* cfg, file_t* f)
 	int				file;
 	long			l,length;

-	sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
+	SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
 	if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) {
 		return(FALSE); 
 	}
@@ -349,11 +349,11 @@ BOOL DLLCALL getfileixb(scfg_t* cfg, file_t* f)
 		return(FALSE); 
 	}
 	close(file);
-	strcpy(fname,f->name);
+	SAFECOPY(fname,f->name);
 	for(l=8;l<12;l++)	/* Turn FILENAME.EXT into FILENAMEEXT */
 		fname[l]=fname[l+1];
 	for(l=0;l<length;l+=F_IXBSIZE) {
-		sprintf(str,"%11.11s",ixbbuf+l);
+		SAFEPRINTF(str,"%11.11s",ixbbuf+l);
 		if(!stricmp(str,fname))
 			break; 
 	}
@@ -380,10 +380,10 @@ BOOL DLLCALL removefiledat(scfg_t* cfg, file_t* f)
    int		i,file;
 	long	l,length;

-	strcpy(fname,f->name);
+	SAFECOPY(fname,f->name);
 	for(i=8;i<12;i++)   /* Turn FILENAME.EXT into FILENAMEEXT */
 		fname[i]=fname[i+1];
-	sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
+	SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
 	if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) {
 		return(FALSE); 
 	}
@@ -418,7 +418,7 @@ BOOL DLLCALL removefiledat(scfg_t* cfg, file_t* f)
 	}
 	FREE((char *)ixbbuf);
 	close(file);
-	sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
+	SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
 	if((file=sopen(str,O_WRONLY|O_BINARY,SH_DENYRW))==-1) {
 		return(FALSE); 
 	}
@@ -445,11 +445,11 @@ BOOL DLLCALL findfile(scfg_t* cfg, uint dirnum, char *filename)
    int i,file;
    long length,l;

-	sprintf(fname,"%.12s",filename);
+	SAFECOPY(fname,filename);
 	strupr(fname);
 	for(i=8;i<12;i++)   /* Turn FILENAME.EXT into FILENAMEEXT */
 		fname[i]=fname[i+1];
-	sprintf(str,"%s%s.ixb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
+	SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
 	if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) return(FALSE);
 	length=filelength(file);
 	if(!length) {
@@ -523,7 +523,7 @@ BOOL DLLCALL rmuserxfers(scfg_t* cfg, int fromuser, int destuser, char *fname)
    int file;
    long l,length;

-	sprintf(str,"%sxfer.ixt", cfg->data_dir);
+	SAFEPRINTF(str,"%sxfer.ixt", cfg->data_dir);
 	if(!fexist(str))
 		return(FALSE);
 	if(!flength(str)) {
@@ -581,7 +581,7 @@ void DLLCALL getextdesc(scfg_t* cfg, uint dirnum, ulong datoffset, char *ext)
 	int file;

 	memset(ext,0,F_EXBSIZE+1);
-	sprintf(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
+	SAFEPRINTF2(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
 	if((file=nopen(str,O_RDONLY))==-1)
 		return;
 	lseek(file,(datoffset/F_LEN)*F_EXBSIZE,SEEK_SET);
@@ -596,7 +596,7 @@ void DLLCALL putextdesc(scfg_t* cfg, uint dirnum, ulong datoffset, char *ext)

 	strip_invalid_attr(ext);	/* eliminate bogus ctrl-a codes */
 	memset(nulbuf,0,sizeof(nulbuf));
-	sprintf(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
+	SAFEPRINTF2(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
 	if((file=nopen(str,O_WRONLY|O_CREAT))==-1)
 		return;
 	lseek(file,0L,SEEK_END);
@@ -619,7 +619,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f)
 	/*******************/
 	/* Update IXB File */
 	/*******************/
-	sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
+	SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
 	if((file=nopen(str,O_RDWR))==-1)
 		return(errno); 
 	length=filelength(file);
@@ -627,7 +627,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f)
 		close(file);
 		return(-1); 
 	}
-	strcpy(fname,f->name);
+	SAFECOPY(fname,f->name);
 	for(i=8;i<12;i++)   /* Turn FILENAME.EXT into FILENAMEEXT */
 		fname[i]=fname[i+1];
 	for(l=0;l<length;l+=F_IXBSIZE) {
@@ -645,7 +645,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f)
 	/*******************************************/
 	/* Update last upload date/time stamp file */
 	/*******************************************/
-	sprintf(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
+	SAFEPRINTF2(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
 	if((file=nopen(str,O_WRONLY|O_CREAT))==-1)
 		return(errno);

@@ -663,9 +663,9 @@ char* DLLCALL getfilepath(scfg_t* cfg, file_t* f, char* path)

 	unpadfname(f->name,fname);
 	if(f->dir>=cfg->total_dirs)
-		sprintf(path,"%s%s",cfg->temp_dir,fname);
+		SAFEPRINTF2(path,"%s%s",cfg->temp_dir,fname);
 	else
-		sprintf(path,"%s%s",f->altpath>0 && f->altpath<=cfg->altpaths 
+		SAFEPRINTF2(path,"%s%s",f->altpath>0 && f->altpath<=cfg->altpaths 
 			? cfg->altpath[f->altpath-1] : cfg->dir[f->dir]->path
 			,fname);


--- a/src/sbbs3/tmp_xfer.cpp
+++ b/src/sbbs3/tmp_xfer.cpp
@@ -8,7 +8,7 @@
 * @format.tab-size 4		(Plain Text/Source Code File Header)			*
 * @format.use-tabs true	(see http://www.synchro.net/ptsc_hdr.html)		*
 *																			*
- * Copyright 2004 Rob Swindell - http://www.synchro.net/copyright.html		*
+ * Copyright 2005 Rob Swindell - http://www.synchro.net/copyright.html		*
 *																			*
 * This program is free software; you can redistribute it and/or			*
 * modify it under the terms of the GNU General Public License				*
@@ -66,11 +66,11 @@ void sbbs_t::temp_xfer()
 		errormsg(WHERE,ERR_ALLOC,"temp_dir",sizeof(dir_t));
 		return; }
 	memset(cfg.dir[dirnum],0,sizeof(dir_t));
-	strcpy(cfg.dir[dirnum]->lname,"Temporary");
-	strcpy(cfg.dir[dirnum]->sname,"Temp");
-	strcpy(cfg.dir[dirnum]->code,"TEMP");
-	strcpy(cfg.dir[dirnum]->path,cfg.temp_dir);
-	strcpy(cfg.dir[dirnum]->data_dir,cfg.dir[0]->data_dir);
+	SAFECOPY(cfg.dir[dirnum]->lname,"Temporary");
+	SAFECOPY(cfg.dir[dirnum]->sname,"Temp");
+	SAFECOPY(cfg.dir[dirnum]->code,"TEMP");
+	SAFECOPY(cfg.dir[dirnum]->path,cfg.temp_dir);
+	SAFECOPY(cfg.dir[dirnum]->data_dir,cfg.dir[0]->data_dir);
 	cfg.dir[dirnum]->maxfiles=MAX_FILES;
 	cfg.dir[dirnum]->op_ar=(uchar *)nulstr;
 	temp_dirnum=curdirnum=usrdir[curlib][curdir[curlib]];
@@ -80,8 +80,8 @@ void sbbs_t::temp_xfer()
 	/* Fill filedat information */
 	/****************************/
 	memset(&f,0,sizeof(f));
-	sprintf(f.name,"temp_%3.3d.%s",cfg.node_num,useron.tmpext);
-	strcpy(f.desc,"Temp File");
+	SAFEPRINTF2(f.name,"temp_%3.3d.%s",cfg.node_num,useron.tmpext);
+	SAFECOPY(f.desc,"Temp File");
 	f.dir=dirnum;

 	if(useron.misc&(RIP|WIP|HTML) && !(useron.misc&EXPERT))
@@ -98,7 +98,7 @@ void sbbs_t::temp_xfer()
 			menu("tempxfer"); }
 		ASYNC;
 		bputs(text[TempDirPrompt]);
-		strcpy(f.uler,temp_uler);
+		SAFECOPY(f.uler,temp_uler);
 		ch=(char)getkeys("ADEFNILQRVX?\r",0);
 		if(ch>' ')
 			logch(ch,0);
@@ -153,7 +153,7 @@ void sbbs_t::temp_xfer()
 				xfer_prot_menu(XFER_DOWNLOAD);
 				SYNC;
 				mnemonics(text[ProtocolOrQuit]);
-				strcpy(tmp2,"Q");
+				SAFECOPY(tmp2,"Q");
 				for(i=0;i<cfg.total_prots;i++)
 					if(cfg.prot[i]->dlcmd[0] && chk_ar(cfg.prot[i]->ar,&useron)) {
 						sprintf(tmp,"%c",cfg.prot[i]->mnemonic);
@@ -314,11 +314,11 @@ void sbbs_t::extract(uint dirnum)
 		|| strchr(fname,'?'))
 		return;
 	padfname(fname,f.name);
-	strcpy(str,f.name);
+	SAFECOPY(str,f.name);
 	truncsp(str);
 	for(i=0;i<cfg.total_fextrs;i++)
 		if(!stricmp(str+9,cfg.fextr[i]->ext) && chk_ar(cfg.fextr[i]->ar,&useron)) {
-			strcpy(excmd,cfg.fextr[i]->cmd);
+			SAFECOPY(excmd,cfg.fextr[i]->cmd);
 			break; }
 	if(i==cfg.total_fextrs) {
 		bputs(text[UnextractableFile]);
@@ -363,8 +363,8 @@ void sbbs_t::extract(uint dirnum)
 			temp_cdt=0L;
 		else
 			temp_cdt=f.cdt;
-		strcpy(temp_uler,f.uler);
-		strcpy(temp_file,f.name); }     /* padded filename */
+		SAFECOPY(temp_uler,f.uler);
+		SAFECOPY(temp_file,f.name); }     /* padded filename */
 	if(!fexistcase(path)) {
 		bputs(text[FileNotThere]);  /* not on disk */
 		return; }
@@ -438,8 +438,8 @@ ulong sbbs_t::create_filelist(char *name, long mode)
 		bputs(text[NoFiles]);
 		sprintf(str,"%s%s",cfg.temp_dir,name);
 		remove(str); }
-	strcpy(temp_file,name);
-	strcpy(temp_uler,"File List");
+	SAFECOPY(temp_file,name);
+	SAFECOPY(temp_uler,"File List");
 	return(k);
 }