Skip to content
Snippets Groups Projects
Commit 27a554ee authored by rswindell's avatar rswindell
Browse files

Bugfix (buffer overflow) in sbbs_t::temp_xfer(). strcpy() of uninitialized 

temp_uler string over-writes f.dir and other stuff.
Man I can't wait to nuke this code! Blechy! Pew!
parent 9e883f9e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/sbbs3/filedat.c
+ 23
23
View file @ 27a554ee
...@@ -8,7 +8,7 @@ ...@@ -8,7 +8,7 @@
* @format.tab-size 4 (Plain Text/Source Code File Header) * * @format.tab-size 4 (Plain Text/Source Code File Header) *
* @format.use-tabs true (see http://www.synchro.net/ptsc_hdr.html) * * @format.use-tabs true (see http://www.synchro.net/ptsc_hdr.html) *
* * * *
* Copyright 2003 Rob Swindell - http://www.synchro.net/copyright.html * * Copyright 2005 Rob Swindell - http://www.synchro.net/copyright.html *
* * * *
* This program is free software; you can redistribute it and/or * * This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License * * modify it under the terms of the GNU General Public License *
...@@ -48,7 +48,7 @@ BOOL DLLCALL getfiledat(scfg_t* cfg, file_t* f) ...@@ -48,7 +48,7 @@ BOOL DLLCALL getfiledat(scfg_t* cfg, file_t* f)
int file; int file;
long length; long length;
sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code); SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) { if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) {
return(FALSE); return(FALSE);
} }
...@@ -125,7 +125,7 @@ BOOL DLLCALL putfiledat(scfg_t* cfg, file_t* f) ...@@ -125,7 +125,7 @@ BOOL DLLCALL putfiledat(scfg_t* cfg, file_t* f)
buf[F_MISC]=f->misc+' '; buf[F_MISC]=f->misc+' ';
putrec(buf,F_ALTPATH,2,hexplus(f->altpath,tmp)); putrec(buf,F_ALTPATH,2,hexplus(f->altpath,tmp));
putrec(buf,F_ALTPATH+2,2,crlf); putrec(buf,F_ALTPATH+2,2,crlf);
sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code); SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_WRONLY|O_BINARY,SH_DENYRW))==-1) { if((file=sopen(str,O_WRONLY|O_BINARY,SH_DENYRW))==-1) {
return(FALSE); return(FALSE);
} }
...@@ -169,7 +169,7 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f) ...@@ -169,7 +169,7 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f)
/************************/ /************************/
/* Add data to DAT File */ /* Add data to DAT File */
/************************/ /************************/
sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code); SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_RDWR|O_BINARY|O_CREAT,SH_DENYRW,S_IREAD|S_IWRITE))==-1) { if((file=sopen(str,O_RDWR|O_BINARY|O_CREAT,SH_DENYRW,S_IREAD|S_IWRITE))==-1) {
return(FALSE); return(FALSE);
} }
...@@ -221,7 +221,7 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f) ...@@ -221,7 +221,7 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f)
/*******************************************/ /*******************************************/
/* Update last upload date/time stamp file */ /* Update last upload date/time stamp file */
/*******************************************/ /*******************************************/
sprintf(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code); SAFEPRINTF2(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_WRONLY|O_CREAT|O_BINARY,SH_DENYRW,S_IREAD|S_IWRITE))!=-1) { if((file=sopen(str,O_WRONLY|O_CREAT|O_BINARY,SH_DENYRW,S_IREAD|S_IWRITE))!=-1) {
now=time(NULL); now=time(NULL);
write(file,&now,4); write(file,&now,4);
...@@ -231,10 +231,10 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f) ...@@ -231,10 +231,10 @@ BOOL DLLCALL addfiledat(scfg_t* cfg, file_t* f)
/************************/ /************************/
/* Add data to IXB File */ /* Add data to IXB File */
/************************/ /************************/
strcpy(fname,f->name); SAFECOPY(fname,f->name);
for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */ for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */
fname[i]=fname[i+1]; fname[i]=fname[i+1];
sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code); SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_RDWR|O_CREAT|O_BINARY,SH_DENYRW,S_IREAD|S_IWRITE))==-1) { if((file=sopen(str,O_RDWR|O_CREAT|O_BINARY,SH_DENYRW,S_IREAD|S_IWRITE))==-1) {
return(FALSE); return(FALSE);
} }
...@@ -330,7 +330,7 @@ BOOL DLLCALL getfileixb(scfg_t* cfg, file_t* f) ...@@ -330,7 +330,7 @@ BOOL DLLCALL getfileixb(scfg_t* cfg, file_t* f)
int file; int file;
long l,length; long l,length;
sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code); SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) { if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) {
return(FALSE); return(FALSE);
} }
...@@ -349,11 +349,11 @@ BOOL DLLCALL getfileixb(scfg_t* cfg, file_t* f) ...@@ -349,11 +349,11 @@ BOOL DLLCALL getfileixb(scfg_t* cfg, file_t* f)
return(FALSE); return(FALSE);
} }
close(file); close(file);
strcpy(fname,f->name); SAFECOPY(fname,f->name);
for(l=8;l<12;l++) /* Turn FILENAME.EXT into FILENAMEEXT */ for(l=8;l<12;l++) /* Turn FILENAME.EXT into FILENAMEEXT */
fname[l]=fname[l+1]; fname[l]=fname[l+1];
for(l=0;l<length;l+=F_IXBSIZE) { for(l=0;l<length;l+=F_IXBSIZE) {
sprintf(str,"%11.11s",ixbbuf+l); SAFEPRINTF(str,"%11.11s",ixbbuf+l);
if(!stricmp(str,fname)) if(!stricmp(str,fname))
break; break;
} }
...@@ -380,10 +380,10 @@ BOOL DLLCALL removefiledat(scfg_t* cfg, file_t* f) ...@@ -380,10 +380,10 @@ BOOL DLLCALL removefiledat(scfg_t* cfg, file_t* f)
int i,file; int i,file;
long l,length; long l,length;
strcpy(fname,f->name); SAFECOPY(fname,f->name);
for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */ for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */
fname[i]=fname[i+1]; fname[i]=fname[i+1];
sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code); SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) { if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) {
return(FALSE); return(FALSE);
} }
...@@ -418,7 +418,7 @@ BOOL DLLCALL removefiledat(scfg_t* cfg, file_t* f) ...@@ -418,7 +418,7 @@ BOOL DLLCALL removefiledat(scfg_t* cfg, file_t* f)
} }
FREE((char *)ixbbuf); FREE((char *)ixbbuf);
close(file); close(file);
sprintf(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code); SAFEPRINTF2(str,"%s%s.dat",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=sopen(str,O_WRONLY|O_BINARY,SH_DENYRW))==-1) { if((file=sopen(str,O_WRONLY|O_BINARY,SH_DENYRW))==-1) {
return(FALSE); return(FALSE);
} }
...@@ -445,11 +445,11 @@ BOOL DLLCALL findfile(scfg_t* cfg, uint dirnum, char *filename) ...@@ -445,11 +445,11 @@ BOOL DLLCALL findfile(scfg_t* cfg, uint dirnum, char *filename)
int i,file; int i,file;
long length,l; long length,l;
sprintf(fname,"%.12s",filename); SAFECOPY(fname,filename);
strupr(fname); strupr(fname);
for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */ for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */
fname[i]=fname[i+1]; fname[i]=fname[i+1];
sprintf(str,"%s%s.ixb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code); SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) return(FALSE); if((file=sopen(str,O_RDONLY|O_BINARY,SH_DENYWR))==-1) return(FALSE);
length=filelength(file); length=filelength(file);
if(!length) { if(!length) {
...@@ -523,7 +523,7 @@ BOOL DLLCALL rmuserxfers(scfg_t* cfg, int fromuser, int destuser, char *fname) ...@@ -523,7 +523,7 @@ BOOL DLLCALL rmuserxfers(scfg_t* cfg, int fromuser, int destuser, char *fname)
int file; int file;
long l,length; long l,length;
sprintf(str,"%sxfer.ixt", cfg->data_dir); SAFEPRINTF(str,"%sxfer.ixt", cfg->data_dir);
if(!fexist(str)) if(!fexist(str))
return(FALSE); return(FALSE);
if(!flength(str)) { if(!flength(str)) {
...@@ -581,7 +581,7 @@ void DLLCALL getextdesc(scfg_t* cfg, uint dirnum, ulong datoffset, char *ext) ...@@ -581,7 +581,7 @@ void DLLCALL getextdesc(scfg_t* cfg, uint dirnum, ulong datoffset, char *ext)
int file; int file;
memset(ext,0,F_EXBSIZE+1); memset(ext,0,F_EXBSIZE+1);
sprintf(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code); SAFEPRINTF2(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
if((file=nopen(str,O_RDONLY))==-1) if((file=nopen(str,O_RDONLY))==-1)
return; return;
lseek(file,(datoffset/F_LEN)*F_EXBSIZE,SEEK_SET); lseek(file,(datoffset/F_LEN)*F_EXBSIZE,SEEK_SET);
...@@ -596,7 +596,7 @@ void DLLCALL putextdesc(scfg_t* cfg, uint dirnum, ulong datoffset, char *ext) ...@@ -596,7 +596,7 @@ void DLLCALL putextdesc(scfg_t* cfg, uint dirnum, ulong datoffset, char *ext)
strip_invalid_attr(ext); /* eliminate bogus ctrl-a codes */ strip_invalid_attr(ext); /* eliminate bogus ctrl-a codes */
memset(nulbuf,0,sizeof(nulbuf)); memset(nulbuf,0,sizeof(nulbuf));
sprintf(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code); SAFEPRINTF2(str,"%s%s.exb",cfg->dir[dirnum]->data_dir,cfg->dir[dirnum]->code);
if((file=nopen(str,O_WRONLY|O_CREAT))==-1) if((file=nopen(str,O_WRONLY|O_CREAT))==-1)
return; return;
lseek(file,0L,SEEK_END); lseek(file,0L,SEEK_END);
...@@ -619,7 +619,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f) ...@@ -619,7 +619,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f)
/*******************/ /*******************/
/* Update IXB File */ /* Update IXB File */
/*******************/ /*******************/
sprintf(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code); SAFEPRINTF2(str,"%s%s.ixb",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=nopen(str,O_RDWR))==-1) if((file=nopen(str,O_RDWR))==-1)
return(errno); return(errno);
length=filelength(file); length=filelength(file);
...@@ -627,7 +627,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f) ...@@ -627,7 +627,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f)
close(file); close(file);
return(-1); return(-1);
} }
strcpy(fname,f->name); SAFECOPY(fname,f->name);
for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */ for(i=8;i<12;i++) /* Turn FILENAME.EXT into FILENAMEEXT */
fname[i]=fname[i+1]; fname[i]=fname[i+1];
for(l=0;l<length;l+=F_IXBSIZE) { for(l=0;l<length;l+=F_IXBSIZE) {
...@@ -645,7 +645,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f) ...@@ -645,7 +645,7 @@ int DLLCALL update_uldate(scfg_t* cfg, file_t* f)
/*******************************************/ /*******************************************/
/* Update last upload date/time stamp file */ /* Update last upload date/time stamp file */
/*******************************************/ /*******************************************/
sprintf(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code); SAFEPRINTF2(str,"%s%s.dab",cfg->dir[f->dir]->data_dir,cfg->dir[f->dir]->code);
if((file=nopen(str,O_WRONLY|O_CREAT))==-1) if((file=nopen(str,O_WRONLY|O_CREAT))==-1)
return(errno); return(errno);
...@@ -663,9 +663,9 @@ char* DLLCALL getfilepath(scfg_t* cfg, file_t* f, char* path) ...@@ -663,9 +663,9 @@ char* DLLCALL getfilepath(scfg_t* cfg, file_t* f, char* path)
unpadfname(f->name,fname); unpadfname(f->name,fname);
if(f->dir>=cfg->total_dirs) if(f->dir>=cfg->total_dirs)
sprintf(path,"%s%s",cfg->temp_dir,fname); SAFEPRINTF2(path,"%s%s",cfg->temp_dir,fname);
else else
sprintf(path,"%s%s",f->altpath>0 && f->altpath<=cfg->altpaths SAFEPRINTF2(path,"%s%s",f->altpath>0 && f->altpath<=cfg->altpaths
? cfg->altpath[f->altpath-1] : cfg->dir[f->dir]->path ? cfg->altpath[f->altpath-1] : cfg->dir[f->dir]->path
,fname); ,fname);
......
src/sbbs3/tmp_xfer.cpp
+ 16
16
View file @ 27a554ee
...@@ -8,7 +8,7 @@ ...@@ -8,7 +8,7 @@
* @format.tab-size 4 (Plain Text/Source Code File Header) * * @format.tab-size 4 (Plain Text/Source Code File Header) *
* @format.use-tabs true (see http://www.synchro.net/ptsc_hdr.html) * * @format.use-tabs true (see http://www.synchro.net/ptsc_hdr.html) *
* * * *
* Copyright 2004 Rob Swindell - http://www.synchro.net/copyright.html * * Copyright 2005 Rob Swindell - http://www.synchro.net/copyright.html *
* * * *
* This program is free software; you can redistribute it and/or * * This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License * * modify it under the terms of the GNU General Public License *
...@@ -66,11 +66,11 @@ void sbbs_t::temp_xfer() ...@@ -66,11 +66,11 @@ void sbbs_t::temp_xfer()
errormsg(WHERE,ERR_ALLOC,"temp_dir",sizeof(dir_t)); errormsg(WHERE,ERR_ALLOC,"temp_dir",sizeof(dir_t));
return; } return; }
memset(cfg.dir[dirnum],0,sizeof(dir_t)); memset(cfg.dir[dirnum],0,sizeof(dir_t));
strcpy(cfg.dir[dirnum]->lname,"Temporary"); SAFECOPY(cfg.dir[dirnum]->lname,"Temporary");
strcpy(cfg.dir[dirnum]->sname,"Temp"); SAFECOPY(cfg.dir[dirnum]->sname,"Temp");
strcpy(cfg.dir[dirnum]->code,"TEMP"); SAFECOPY(cfg.dir[dirnum]->code,"TEMP");
strcpy(cfg.dir[dirnum]->path,cfg.temp_dir); SAFECOPY(cfg.dir[dirnum]->path,cfg.temp_dir);
strcpy(cfg.dir[dirnum]->data_dir,cfg.dir[0]->data_dir); SAFECOPY(cfg.dir[dirnum]->data_dir,cfg.dir[0]->data_dir);
cfg.dir[dirnum]->maxfiles=MAX_FILES; cfg.dir[dirnum]->maxfiles=MAX_FILES;
cfg.dir[dirnum]->op_ar=(uchar *)nulstr; cfg.dir[dirnum]->op_ar=(uchar *)nulstr;
temp_dirnum=curdirnum=usrdir[curlib][curdir[curlib]]; temp_dirnum=curdirnum=usrdir[curlib][curdir[curlib]];
...@@ -80,8 +80,8 @@ void sbbs_t::temp_xfer() ...@@ -80,8 +80,8 @@ void sbbs_t::temp_xfer()
/* Fill filedat information */ /* Fill filedat information */
/****************************/ /****************************/
memset(&f,0,sizeof(f)); memset(&f,0,sizeof(f));
sprintf(f.name,"temp_%3.3d.%s",cfg.node_num,useron.tmpext); SAFEPRINTF2(f.name,"temp_%3.3d.%s",cfg.node_num,useron.tmpext);
strcpy(f.desc,"Temp File"); SAFECOPY(f.desc,"Temp File");
f.dir=dirnum; f.dir=dirnum;
if(useron.misc&(RIP|WIP|HTML) && !(useron.misc&EXPERT)) if(useron.misc&(RIP|WIP|HTML) && !(useron.misc&EXPERT))
...@@ -98,7 +98,7 @@ void sbbs_t::temp_xfer() ...@@ -98,7 +98,7 @@ void sbbs_t::temp_xfer()
menu("tempxfer"); } menu("tempxfer"); }
ASYNC; ASYNC;
bputs(text[TempDirPrompt]); bputs(text[TempDirPrompt]);
strcpy(f.uler,temp_uler); SAFECOPY(f.uler,temp_uler);
ch=(char)getkeys("ADEFNILQRVX?\r",0); ch=(char)getkeys("ADEFNILQRVX?\r",0);
if(ch>' ') if(ch>' ')
logch(ch,0); logch(ch,0);
...@@ -153,7 +153,7 @@ void sbbs_t::temp_xfer() ...@@ -153,7 +153,7 @@ void sbbs_t::temp_xfer()
xfer_prot_menu(XFER_DOWNLOAD); xfer_prot_menu(XFER_DOWNLOAD);
SYNC; SYNC;
mnemonics(text[ProtocolOrQuit]); mnemonics(text[ProtocolOrQuit]);
strcpy(tmp2,"Q"); SAFECOPY(tmp2,"Q");
for(i=0;i<cfg.total_prots;i++) for(i=0;i<cfg.total_prots;i++)
if(cfg.prot[i]->dlcmd[0] && chk_ar(cfg.prot[i]->ar,&useron)) { if(cfg.prot[i]->dlcmd[0] && chk_ar(cfg.prot[i]->ar,&useron)) {
sprintf(tmp,"%c",cfg.prot[i]->mnemonic); sprintf(tmp,"%c",cfg.prot[i]->mnemonic);
...@@ -314,11 +314,11 @@ void sbbs_t::extract(uint dirnum) ...@@ -314,11 +314,11 @@ void sbbs_t::extract(uint dirnum)
|| strchr(fname,'?')) || strchr(fname,'?'))
return; return;
padfname(fname,f.name); padfname(fname,f.name);
strcpy(str,f.name); SAFECOPY(str,f.name);
truncsp(str); truncsp(str);
for(i=0;i<cfg.total_fextrs;i++) for(i=0;i<cfg.total_fextrs;i++)
if(!stricmp(str+9,cfg.fextr[i]->ext) && chk_ar(cfg.fextr[i]->ar,&useron)) { if(!stricmp(str+9,cfg.fextr[i]->ext) && chk_ar(cfg.fextr[i]->ar,&useron)) {
strcpy(excmd,cfg.fextr[i]->cmd); SAFECOPY(excmd,cfg.fextr[i]->cmd);
break; } break; }
if(i==cfg.total_fextrs) { if(i==cfg.total_fextrs) {
bputs(text[UnextractableFile]); bputs(text[UnextractableFile]);
...@@ -363,8 +363,8 @@ void sbbs_t::extract(uint dirnum) ...@@ -363,8 +363,8 @@ void sbbs_t::extract(uint dirnum)
temp_cdt=0L; temp_cdt=0L;
else else
temp_cdt=f.cdt; temp_cdt=f.cdt;
strcpy(temp_uler,f.uler); SAFECOPY(temp_uler,f.uler);
strcpy(temp_file,f.name); } /* padded filename */ SAFECOPY(temp_file,f.name); } /* padded filename */
if(!fexistcase(path)) { if(!fexistcase(path)) {
bputs(text[FileNotThere]); /* not on disk */ bputs(text[FileNotThere]); /* not on disk */
return; } return; }
...@@ -438,8 +438,8 @@ ulong sbbs_t::create_filelist(char *name, long mode) ...@@ -438,8 +438,8 @@ ulong sbbs_t::create_filelist(char *name, long mode)
bputs(text[NoFiles]); bputs(text[NoFiles]);
sprintf(str,"%s%s",cfg.temp_dir,name); sprintf(str,"%s%s",cfg.temp_dir,name);
remove(str); } remove(str); }
strcpy(temp_file,name); SAFECOPY(temp_file,name);
strcpy(temp_uler,"File List"); SAFECOPY(temp_uler,"File List");
return(k); return(k);
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment