9pfs/solanum-vs-hackint-and-charybdis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ircd: s_conf: fix use of strlcpy in strip_tabs

Browse source 
strlcpy should be called with the size of the destination buffer, not
the length of the source string.

When the source is an empty string, the destination buffer isn't
written at all, resulting in it trying to output uninitialised data.

This could also cause a buffer overflow on very long invalid config
lines.
This commit is contained in:
Simon Arlott 2017-06-25 19:48:49 +01:00
parent 789bb31c92
commit 62c0ac4124
No known key found for this signature in database
GPG key ID: C8975F2043CA5D24
1 changed files with 5 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/s_conf.c
View file

@ -1616,15 +1616,15 @@ conf_add_d_conf(struct ConfItem *aconf)
} }
} }
static char * static void
strip_tabs(char *dest, const char *src, size_t len) strip_tabs(char *dest, const char *src, size_t size)
{ {
char *d = dest; char *d = dest;
if(dest == NULL || src == NULL) if(dest == NULL || src == NULL)
return NULL; return;
rb_strlcpy(dest, src, len); rb_strlcpy(dest, src, size);
while(*d) while(*d)
{ {
@ -1632,7 +1632,6 @@ strip_tabs(char *dest, const char *src, size_t len)
*d = ' '; *d = ' ';
d++; d++;
} }
return dest;
} }
/* /*
@ -1647,7 +1646,7 @@ yyerror(const char *msg)
{ {
char newlinebuf[BUFSIZE]; char newlinebuf[BUFSIZE];
strip_tabs(newlinebuf, yy_linebuf, strlen(yy_linebuf)); strip_tabs(newlinebuf, yy_linebuf, sizeof(newlinebuf));
ierror("\"%s\", line %d: %s at '%s'", conffilebuf, lineno + 1, msg, newlinebuf); ierror("\"%s\", line %d: %s at '%s'", conffilebuf, lineno + 1, msg, newlinebuf);
sendto_realops_snomask(SNO_GENERAL, L_ALL, "\"%s\", line %d: %s at '%s'", sendto_realops_snomask(SNO_GENERAL, L_ALL, "\"%s\", line %d: %s at '%s'",