Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • Synchronet Synchronet
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 224
    • Issues 224
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 1
    • Merge requests 1
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar

This GitLab instance has migrated as of Nov-5-2022 to a new server: hardware, OS, SSH key

The v3.20a development branch has now been merged to the master branch. Sysops upgrading from earlier versions must run 'jsexec update'

  • MainMain
  • SynchronetSynchronet
  • Issues
  • #276
Closed
Open
Issue created Jun 28, 2021 by Andrew Bao@AndrewB

Bug: usage-of-uninitialized value

A new bug is found. It is in src/sbbs3/scansubs.cpp

void sbbs_t::scanallsubs(long mode)
{
        char    str[256];
        char    tmp[512];
.....
 for(i=0; i<total_subs && !msgabort(); i++) {
                if(mode&SCAN_POLLS)
                        progress(text[Scanning], i, total_subs, 10);
                if(scanposts(sub[i],mode,str))
                        break;
        }

In function sbbs_t::scanallsubs, array str is not initialized in the first place. It may be initialized inside an if branch by getstr(). However, it may not be initialized in other branch and be directly use by scanposts(). Then str will be write into cmdline by function safe_snprintf in scanposts(): safe_snprintf(cmdline, sizeof(cmdline), "%s %s %ld %s", cfg.scanposts_mod, cfg.sub[subnum]->code, mode, find);

which may cause arbitrary code execution somehow(I am not sure, but it is definitely uninitialized value use)

Thank you for the review. I also reported this bug to CVE

Edited Jun 28, 2021 by Andrew Bao
Assignee
Assign to
Time tracking