Commit 27a554ee authored by rswindell's avatar rswindell
Browse files

Bugfix (buffer overflow) in sbbs_t::temp_xfer(). strcpy() of uninitialized

temp_uler string over-writes f.dir and other stuff.
Man I can't wait to nuke this code! Blechy! Pew!
parent 9e883f9e
......@@ -8,7 +8,7 @@
* @format.tab-size 4 (Plain Text/Source Code File Header) *
* @format.use-tabs true (see http://www.synchro.net/ptsc_hdr.html) *
* *
* Copyright 2003 Rob Swindell - http://www.synchro.net/copyright.html *
* Copyright 2005 Rob Swindell - http://www.synchro.net/copyright.html *
* *
* This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License *
......@@ -48,7 +48,7 @@ BOOL DLLCALL getfiledat(scfg_t* cfg, file_t* f)
int file;
long length;
sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) {
return(FALSE);
}
......@@ -125,7 +125,7 @@ BOOL DLLCALL putfiledat(scfg_t* cfg, file_t* f)
buf[F_MISC]=f->misc+' ';
putrec(buf,F_ALTPATH,2,hexplus(f->altpath,tmp));
putrec(buf,F_ALTPATH+2,2,crlf);
sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_WRONLY|O_BINARY,SH_DENYRW))==-1) {
return(FALSE);
}
......@@ -169,7 +169,7 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f)
/************************/
/* Add data to DAT File */
/************************/
sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_RDWR|O_BINARY|O_CREAT,SH_DENYRW,S_IREAD|S_IWRITE))==-1) {
return(FALSE);
}
......@@ -221,7 +221,7 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f)
/*******************************************/
/* Update last upload date/time stamp file */
/*******************************************/
sprintf(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
SAFEPRINTF2(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_WRONLY|O_CREAT|O_BINARY,SH_DENYRW,S_IREAD|S_IWRITE))!=-1) {
now=time(NULL);
write(file,&now,4);
......@@ -231,10 +231,10 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f)
/************************/
/* Add data to IXB File */
/************************/
strcpy(fname,f->name);
SAFECOPY(fname,f->name);
for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */
fname[i]=fname[i+1];
sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_RDWR|O_CREAT|O_BINARY,SH_DENYRW,S_IREAD|S_IWRITE))==-1) {
return(FALSE);
}
......@@ -330,7 +330,7 @@ BOOL DLLCALL getfileixb(scfg_t* cfg, file_t* f)
int file;
long l,length;
sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) {
return(FALSE);
}
......@@ -349,11 +349,11 @@ BOOL DLLCALL getfileixb(scfg_t* cfg, file_t* f)
return(FALSE);
}
close(file);
strcpy(fname,f->name);
SAFECOPY(fname,f->name);
for(l=8;l<12;l++) /* Turn FILENAME.EXT into FILENAMEEXT */
fname[l]=fname[l+1];
for(l=0;l<length;l+=F_IXBSIZE) {
sprintf(str,"%11.11s",ixbbuf+l);
SAFEPRINTF(str,"%11.11s",ixbbuf+l);
if(!stricmp(str,fname))
break;
}
......@@ -380,10 +380,10 @@ BOOL DLLCALL removefiledat(scfg_t* cfg, file_t* f)
int i,file;
long l,length;
strcpy(fname,f->name);
SAFECOPY(fname,f->name);
for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */
fname[i]=fname[i+1];
sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) {
return(FALSE);
}
......@@ -418,7 +418,7 @@ BOOL DLLCALL removefiledat(scfg_t* cfg, file_t* f)
}
FREE((char *)ixbbuf);
close(file);
sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_WRONLY|O_BINARY,SH_DENYRW))==-1) {
return(FALSE);
}
......@@ -445,11 +445,11 @@ BOOL DLLCALL findfile(scfg_t* cfg, uint dirnum, char *filename)
int i,file;
long length,l;
sprintf(fname,"%.12s",filename);
SAFECOPY(fname,filename);
strupr(fname);
for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */
fname[i]=fname[i+1];
sprintf(str,"%s%s.ixb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) return(FALSE);
length=filelength(file);
if(!length) {
......@@ -523,7 +523,7 @@ BOOL DLLCALL rmuserxfers(scfg_t* cfg, int fromuser, int destuser, char *fname)
int file;
long l,length;
sprintf(str,"%sxfer.ixt", cfg->data_dir);
SAFEPRINTF(str,"%sxfer.ixt", cfg->data_dir);
if(!fexist(str))
return(FALSE);
if(!flength(str)) {
......@@ -581,7 +581,7 @@ void DLLCALL getextdesc(scfg_t* cfg, uint dirnum, ulong datoffset, char *ext)
int file;
memset(ext,0,F_EXBSIZE+1);
sprintf(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
SAFEPRINTF2(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
if((file=nopen(str,O_RDONLY))==-1)
return;
lseek(file,(datoffset/F_LEN)*F_EXBSIZE,SEEK_SET);
......@@ -596,7 +596,7 @@ void DLLCALL putextdesc(scfg_t* cfg, uint dirnum, ulong datoffset, char *ext)
strip_invalid_attr(ext); /* eliminate bogus ctrl-a codes */
memset(nulbuf,0,sizeof(nulbuf));
sprintf(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
SAFEPRINTF2(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
if((file=nopen(str,O_WRONLY|O_CREAT))==-1)
return;
lseek(file,0L,SEEK_END);
......@@ -619,7 +619,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f)
/*******************/
/* Update IXB File */
/*******************/
sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=nopen(str,O_RDWR))==-1)
return(errno);
length=filelength(file);
......@@ -627,7 +627,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f)
close(file);
return(-1);
}
strcpy(fname,f->name);
SAFECOPY(fname,f->name);
for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */
fname[i]=fname[i+1];
for(l=0;l<length;l+=F_IXBSIZE) {
......@@ -645,7 +645,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f)
/*******************************************/
/* Update last upload date/time stamp file */
/*******************************************/
sprintf(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
SAFEPRINTF2(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=nopen(str,O_WRONLY|O_CREAT))==-1)
return(errno);
......@@ -663,9 +663,9 @@ char* DLLCALL getfilepath(scfg_t* cfg, file_t* f, char* path)
unpadfname(f->name,fname);
if(f->dir>=cfg->total_dirs)
sprintf(path,"%s%s",cfg->temp_dir,fname);
SAFEPRINTF2(path,"%s%s",cfg->temp_dir,fname);
else
sprintf(path,"%s%s",f->altpath>0 && f->altpath<=cfg->altpaths
SAFEPRINTF2(path,"%s%s",f->altpath>0 && f->altpath<=cfg->altpaths
? cfg->altpath[f->altpath-1] : cfg->dir[f->dir]->path
,fname);
......
......@@ -8,7 +8,7 @@
* @format.tab-size 4 (Plain Text/Source Code File Header) *
* @format.use-tabs true (see http://www.synchro.net/ptsc_hdr.html) *
* *
* Copyright 2004 Rob Swindell - http://www.synchro.net/copyright.html *
* Copyright 2005 Rob Swindell - http://www.synchro.net/copyright.html *
* *
* This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License *
......@@ -66,11 +66,11 @@ void sbbs_t::temp_xfer()
errormsg(WHERE,ERR_ALLOC,"temp_dir",sizeof(dir_t));
return; }
memset(cfg.dir[dirnum],0,sizeof(dir_t));
strcpy(cfg.dir[dirnum]->lname,"Temporary");
strcpy(cfg.dir[dirnum]->sname,"Temp");
strcpy(cfg.dir[dirnum]->code,"TEMP");
strcpy(cfg.dir[dirnum]->path,cfg.temp_dir);
strcpy(cfg.dir[dirnum]->data_dir,cfg.dir[0]->data_dir);
SAFECOPY(cfg.dir[dirnum]->lname,"Temporary");
SAFECOPY(cfg.dir[dirnum]->sname,"Temp");
SAFECOPY(cfg.dir[dirnum]->code,"TEMP");
SAFECOPY(cfg.dir[dirnum]->path,cfg.temp_dir);
SAFECOPY(cfg.dir[dirnum]->data_dir,cfg.dir[0]->data_dir);
cfg.dir[dirnum]->maxfiles=MAX_FILES;
cfg.dir[dirnum]->op_ar=(uchar *)nulstr;
temp_dirnum=curdirnum=usrdir[curlib][curdir[curlib]];
......@@ -80,8 +80,8 @@ void sbbs_t::temp_xfer()
/* Fill filedat information */
/****************************/
memset(&f,0,sizeof(f));
sprintf(f.name,"temp_%3.3d.%s",cfg.node_num,useron.tmpext);
strcpy(f.desc,"Temp File");
SAFEPRINTF2(f.name,"temp_%3.3d.%s",cfg.node_num,useron.tmpext);
SAFECOPY(f.desc,"Temp File");
f.dir=dirnum;
if(useron.misc&(RIP|WIP|HTML) && !(useron.misc&EXPERT))
......@@ -98,7 +98,7 @@ void sbbs_t::temp_xfer()
menu("tempxfer"); }
ASYNC;
bputs(text[TempDirPrompt]);
strcpy(f.uler,temp_uler);
SAFECOPY(f.uler,temp_uler);
ch=(char)getkeys("ADEFNILQRVX?\r",0);
if(ch>' ')
logch(ch,0);
......@@ -153,7 +153,7 @@ void sbbs_t::temp_xfer()
xfer_prot_menu(XFER_DOWNLOAD);
SYNC;
mnemonics(text[ProtocolOrQuit]);
strcpy(tmp2,"Q");
SAFECOPY(tmp2,"Q");
for(i=0;i<cfg.total_prots;i++)
if(cfg.prot[i]->dlcmd[0] && chk_ar(cfg.prot[i]->ar,&useron)) {
sprintf(tmp,"%c",cfg.prot[i]->mnemonic);
......@@ -314,11 +314,11 @@ void sbbs_t::extract(uint dirnum)
|| strchr(fname,'?'))
return;
padfname(fname,f.name);
strcpy(str,f.name);
SAFECOPY(str,f.name);
truncsp(str);
for(i=0;i<cfg.total_fextrs;i++)
if(!stricmp(str+9,cfg.fextr[i]->ext) && chk_ar(cfg.fextr[i]->ar,&useron)) {
strcpy(excmd,cfg.fextr[i]->cmd);
SAFECOPY(excmd,cfg.fextr[i]->cmd);
break; }
if(i==cfg.total_fextrs) {
bputs(text[UnextractableFile]);
......@@ -363,8 +363,8 @@ void sbbs_t::extract(uint dirnum)
temp_cdt=0L;
else
temp_cdt=f.cdt;
strcpy(temp_uler,f.uler);
strcpy(temp_file,f.name); } /* padded filename */
SAFECOPY(temp_uler,f.uler);
SAFECOPY(temp_file,f.name); } /* padded filename */
if(!fexistcase(path)) {
bputs(text[FileNotThere]); /* not on disk */
return; }
......@@ -438,8 +438,8 @@ ulong sbbs_t::create_filelist(char *name, long mode)
bputs(text[NoFiles]);
sprintf(str,"%s%s",cfg.temp_dir,name);
remove(str); }
strcpy(temp_file,name);
strcpy(temp_uler,"File List");
SAFECOPY(temp_file,name);
SAFECOPY(temp_uler,"File List");
return(k);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment