From 4112b74444b00fbee484b7a6c15aa26c2fdf7f84 Mon Sep 17 00:00:00 2001
From: rswindell <>
Date: Fri, 19 Mar 2004 09:59:52 +0000
Subject: [PATCH] Bugfix: a couple of buffer-overlow possibilities in
 sockprintf() - depending on the CRTL implementation of vsnprintf().

---
 src/sbbs3/ftpsrvr.c  | 15 ++++++++++-----
 src/sbbs3/mailsrvr.c | 15 ++++++++++-----
 2 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/src/sbbs3/ftpsrvr.c b/src/sbbs3/ftpsrvr.c
index 35d426ae1d..8b4342ccbd 100644
--- a/src/sbbs3/ftpsrvr.c
+++ b/src/sbbs3/ftpsrvr.c
@@ -273,6 +273,7 @@ static int ftp_close_socket(SOCKET* sock, int line)
 static int sockprintf(SOCKET sock, char *fmt, ...)
 {
 	int		len;
+	int		maxlen;
 	int		result;
 	va_list argptr;
 	char	sbuf[1024];
@@ -280,13 +281,17 @@ static int sockprintf(SOCKET sock, char *fmt, ...)
 	struct timeval tv;
 
     va_start(argptr,fmt);
-    len=vsnprintf(sbuf,sizeof(sbuf),fmt,argptr);
-	sbuf[sizeof(sbuf)-1]=0;
+    len=vsnprintf(sbuf,maxlen=sizeof(sbuf)-2,fmt,argptr);
+    va_end(argptr);
+
+	if(len<0)		/* format error? */
+		return(0);
+	if(len>maxlen)	/* output truncated */
+		len=maxlen;
 	if(startup!=NULL && startup->options&FTP_OPT_DEBUG_TX)
-		lprintf(LOG_DEBUG,"%04d TX: %s", sock, sbuf);
-	strcat(sbuf,"\r\n");
+		lprintf(LOG_DEBUG,"%04d TX: %.*s", sock, len, sbuf);
+	memcpy(sbuf+len,"\r\n",2);
 	len+=2;
-    va_end(argptr);
 
 	if(sock==INVALID_SOCKET) {
 		lprintf(LOG_WARNING,"!INVALID SOCKET in call to sockprintf");
diff --git a/src/sbbs3/mailsrvr.c b/src/sbbs3/mailsrvr.c
index c33a623cf7..547a834344 100644
--- a/src/sbbs3/mailsrvr.c
+++ b/src/sbbs3/mailsrvr.c
@@ -236,6 +236,7 @@ static void status(char* str)
 int sockprintf(SOCKET sock, char *fmt, ...)
 {
 	int		len;
+	int		maxlen;
 	int		result;
 	va_list argptr;
 	char	sbuf[1024];
@@ -243,13 +244,17 @@ int sockprintf(SOCKET sock, char *fmt, ...)
 	struct timeval tv;
 
     va_start(argptr,fmt);
-    len=vsnprintf(sbuf,sizeof(sbuf),fmt,argptr);
-	sbuf[sizeof(sbuf)-1]=0;
+    len=vsnprintf(sbuf,maxlen=sizeof(sbuf)-2,fmt,argptr);
+    va_end(argptr);
+
+	if(len<0)		/* format error? */
+		return(0);
+	if(len>maxlen)	/* output truncated */
+		len=maxlen;
 	if(startup->options&MAIL_OPT_DEBUG_TX)
-		lprintf(LOG_DEBUG,"%04d TX: %s", sock, sbuf);
-	strcat(sbuf,"\r\n");
+		lprintf(LOG_DEBUG,"%04d TX: %.*s", sock, len, sbuf);
+	memcpy(sbuf+len,"\r\n",2);
 	len+=2;
-    va_end(argptr);
 
 	if(sock==INVALID_SOCKET) {
 		lprintf(LOG_WARNING,"!INVALID SOCKET in call to sockprintf");
-- 
GitLab