commit fb584f7676a14bc3889f48bdc4b95af3e84f1f37
parent 16d1b940fa923ab2f20c7c813754d160685bcb78
Author: sin <sin@2f30.org>
Date: Tue, 7 Oct 2014 01:43:17 +0100
Fix possible stack corruption when parsing friend IDs
Diffstat:
2 files changed, 18 insertions(+), 9 deletions(-)
diff --git a/config.mk b/config.mk
@@ -8,5 +8,5 @@ MANPREFIX = $(PREFIX)/share/man
CC = cc
LD = $(CC)
CPPFLAGS = -DVERSION=\"${VERSION}\"
-CFLAGS = -I/usr/local/include -Wall -Wunused $(CPPFLAGS)
-LDFLAGS = -L/usr/local/lib -ltoxcore -ltoxav -ltoxencryptsave
+CFLAGS = -g -I/usr/local/include -Wall -Wunused $(CPPFLAGS)
+LDFLAGS = -g -L/usr/local/lib -ltoxcore -ltoxav -ltoxencryptsave
diff --git a/ratox.c b/ratox.c
@@ -1446,17 +1446,26 @@ sendfriendreq(void *data)
return;
buf[n] = '\0';
- for (p = buf; *p && isspace(*p) == 0; p++)
+ /* locate start of msg */
+ for (p = buf; *p && !isspace(*p); p++)
;
- if (*p != '\0') {
- *p = '\0';
- while (isspace(*p++) != 0)
- ;
- if (*p != '\0')
- msg = p;
+ if (*p == '\0')
+ goto out; /* no msg */
+ *p++ = '\0';
+ if (*p == '\0') {
+ goto out; /* no msg */
+ } else {
+ msg = p;
if (msg[strlen(msg) - 1] == '\n')
msg[strlen(msg) - 1] = '\0';
}
+out:
+ if (strlen(buf) != sizeof(id) * 2) {
+ ftruncate(gslots[REQUEST].fd[ERR], 0);
+ lseek(gslots[REQUEST].fd[ERR], 0, SEEK_SET);
+ dprintf(gslots[REQUEST].fd[ERR], "Invalid friend ID\n");
+ return;
+ }
str2id(buf, id);
r = tox_add_friend(tox, id, (uint8_t *)buf, strlen(buf));
