Log message:
Fix buffer overflow problem; tune lengths fed into ircd_vsnprintf() to take
into account the fact that ircd_vsnprintf() already takes \0 into account.
Testing:
The old hack code to test for this buffer overflow is still in place,
intentionally, to catch any other problems that may crop up. Otherwise,
this code has been compiled and tested and produces the correct results--
never knew I could write a simple client that rapidly ;)
git-svn-id: file:///home/klmitch/undernet-ircu/undernet-ircu-svn/ircu2/trunk@381
c9e4aea6-c8fd-4c43-8297-
357d70d61c8c
+2001-01-24 Kevin L. Mitchell <klmitch@mit.edu>
+
+ * ircd/msgq.c: ircd_vsnprintf() returns the number of bytes that
+ it would have written; upper-bound the number to prevent overflows
+ by proxy; also, tune buffer size given to ircd_vsnprintf() to take
+ into account the fact that ircd_vsnprintf() already takes the
+ terminal \0 into account
+
2001-01-22 Kevin L. Mitchell <klmitch@mit.edu>
* ircd/msgq.c: add an incredibly ugly hack to attempt to track
2001-01-22 Kevin L. Mitchell <klmitch@mit.edu>
* ircd/msgq.c: add an incredibly ugly hack to attempt to track
mb->ref = 1;
/* fill the buffer */
mb->ref = 1;
/* fill the buffer */
- mb->length = ircd_vsnprintf(dest, mb->msg, sizeof(mb->msg) - 3, format, vl);
+ mb->length = ircd_vsnprintf(dest, mb->msg, sizeof(mb->msg) - 2, format, vl);
+
+ if (mb->length > sizeof(mb->msg) - 3)
+ mb->length = sizeof(mb->msg) - 3;
mb->msg[mb->length++] = '\r'; /* add \r\n to buffer */
mb->msg[mb->length++] = '\n';
mb->msg[mb->length++] = '\r'; /* add \r\n to buffer */
mb->msg[mb->length++] = '\n';
va_start(vl, format); /* append to the buffer */
mb->length += ircd_vsnprintf(dest, mb->msg + mb->length,
va_start(vl, format); /* append to the buffer */
mb->length += ircd_vsnprintf(dest, mb->msg + mb->length,
- sizeof(mb->msg) - 3 - mb->length, format, vl);
+ sizeof(mb->msg) - 2 - mb->length, format, vl);
+ if (mb->length > sizeof(mb->msg) - 3)
+ mb->length = sizeof(mb->msg) - 3;
+
mb->msg[mb->length++] = '\r'; /* add \r\n to buffer */
mb->msg[mb->length++] = '\n';
mb->msg[mb->length] = '\0'; /* not strictly necessary */
mb->msg[mb->length++] = '\r'; /* add \r\n to buffer */
mb->msg[mb->length++] = '\n';
mb->msg[mb->length] = '\0'; /* not strictly necessary */