Forráskód Böngészése

* Fix buffer overflow in botlink encryption writing

Bryan Drewery 16 éve
szülő
commit
6578809c2a
2 módosított fájl, 7 hozzáadás és 9 törlés
  1. 2 0
      doc/UPDATES
  2. 5 9
      src/enclink.c

+ 2 - 0
doc/UPDATES

@@ -1,3 +1,5 @@
+* Fix buffer overflow in DCC
+
 1.3 - http://wraith.botpack.net/milestone/1.3
 * Binary / shell / startup changes
   * Binary error messages are no longer obscure numbers or fake segfaults. (Compile with OBSCURE_ERRORS to re-enable)

+ 5 - 9
src/enclink.c

@@ -150,38 +150,34 @@ static const char *ghost_write(int snum, const char *src, size_t *len)
 {
   static char buf[SGRAB + 14] = "";
   char *srcbuf = NULL, *line = NULL, *eol = NULL, *eline = NULL;
-  size_t bufpos = 0;
 
   const size_t bufsiz = *len + 9 + 1;
   srcbuf = (char *) my_calloc(1, bufsiz);
   strlcpy(srcbuf, src, bufsiz);
   line = srcbuf;
+  buf[0] = 0;
 
   eol = strchr(line, '\n');
   while (eol) {
     *eol++ = 0;
     eline = encrypt_string(socklist[snum].okey, line);
     rotate_key(socklist[snum].okey, socklist[snum].oseed);
-//    buf = (char *) my_realloc(buf, bufpos + strlen(eline) + 1 + 9);
-    strcpy((char *) &buf[bufpos], eline);
+    strlcat(buf, eline, sizeof(buf));
     free(eline);
-    strcat(buf, "\n");
-    bufpos = strlen(buf);
+    *len = strlcat(buf, "\n", sizeof(buf));
     line = eol;
     eol = strchr(line, '\n');
   }
   if (line[0]) {
     eline = encrypt_string(socklist[snum].okey, line);
     rotate_key(socklist[snum].okey, socklist[snum].oseed);
-//    buf = (char *) my_realloc(buf, bufpos + strlen(eline) + 1 + 9);
-    strcpy((char *) &buf[bufpos], eline);
+    strlcat(buf, eline, sizeof(buf));
     free(eline);
-    strcat(buf, "\n");
+    *len = strlcat(buf, "\n", sizeof(buf));
   }
   OPENSSL_cleanse(srcbuf, bufsiz);
   free(srcbuf);
 
-  *len = strlen(buf);
   return buf;
 }