Commit abc00bd1 authored by Andrew Price's avatar Andrew Price
Browse files

Fix two buffer overflows 

1. incoming_pipe is -1 in idle() when a new user runs mw with autochat
2. When ls() tries to write too many chars into a SUBJECTSIZE+1-char
   buffer.

Fixes #24
parent 49b1776e

src/client/main.c

+6 −4
Original line number Diff line number Diff line
@@ -966,8 +966,10 @@ int idle(int fd, int millis) 
	int incoming_pipe = ipc_getfd();

	FD_ZERO(&readfds);

	FD_ZERO(&exceptfds);

	if (incoming_pipe >= 0) {

		FD_SET(incoming_pipe, &readfds);

		FD_SET(incoming_pipe, &exceptfds);

	}

	if (fd >= 0)

	{

		FD_SET(fd, &readfds);
@@ -986,7 +988,7 @@ int idle(int fd, int millis) 
	select_error = errno;

	if (fd >= 0) fcntl(fd, F_SETFL, fl);

	if (nfds > 0) {

		if (FD_ISSET(incoming_pipe, &exceptfds)) {

		if (incoming_pipe >= 0 && FD_ISSET(incoming_pipe, &exceptfds)) {

			fprintf(stderr, _("\nError reading incoming message pipe. panic.\n"));

			return -1;

		}
@@ -994,7 +996,7 @@ int idle(int fd, int millis) 
			fprintf(stderr, _("\nError on input terminal, argh.\n"));

			return -1;

		}

		if (FD_ISSET(incoming_pipe, &readfds))

		if (incoming_pipe >= 0 && FD_ISSET(incoming_pipe, &readfds))

		       handle_mesg();

	}

	in_idle--;

src/client/read.c

+4 −12
Original line number Diff line number Diff line
@@ -166,7 +166,6 @@ void ls(int folnum, struct user *user, int many) 
	int afile;

	struct folder fold;

	struct Header head;

	char buff[SUBJECTSIZE+1];

	int linecount=0;

	int listpoint;

	int screen_height = screen_h();
@@ -198,17 +197,10 @@ void ls(int folnum, struct user *user, int many) 
		(is_private(&fold, user) && (stringcmp(head.from, user->record.name, -1)

		      || stringcmp(head.to, user->record.name, -1))))) /*marked for deletion*/

		{

			strncpy(buff,head.to,NAMESIZE);

			buff[NAMESIZE]=0;

			printf("%4d  %*s -> %*s  ",

			head.Ref,NAMESIZE,head.from,NAMESIZE,buff);

			if (strlen(head.subject)>40)

			{

				strncpy(buff,head.subject,37);

				strcat(buff,"...");

			}else

				strcpy(buff,head.subject);

			printf("%s\n",buff);

			printf("%4d  %*s -> %*s  ", head.Ref,

			       NAMESIZE, head.from,

			       NAMESIZE, head.to);

			printf("%.*s\n", SUBJECTSIZE, head.subject);

			linecount++;

			if (linecount>=(screen_height-1))

			{