set*() family functions all assume buffer size = PATHLEN, to prevent buffer overflow.

do some s/256/PATHLEN/.


git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@3074 63ad8ddf-47c3-0310-b6dd-a9e9d9715204

9 files changed, 77 insertions, 75 deletions

diff --git a/mbbsd/admin.c b/mbbsd/admin.c
index 03dda722..4abf11f1 100644
--- a/mbbsd/admin.c
+++ b/mbbsd/admin.c
@@ -55,7 +55,8 @@ m_user(void)
 static int retrieve_backup(userec_t *user)
 {
     int uid;
-    char src[256], dst[256];
+    char src[PATHLEN], dst[PATHLEN];
+    char ans;
 
     if ((uid = searchuser(user->userid, user->userid))) {
 	setumoney(uid, user->money);
@@ -63,9 +64,9 @@ static int retrieve_backup(userec_t *user)
 	return 0;
     }
 
-    src[0] = getans("目前的 PASSWD 檔沒有此 ID，新增嗎？[y/N]");
+    ans = getans("目前的 PASSWD 檔沒有此 ID，新增嗎？[y/N]");
 
-    if (src[0] != 'y') {
+    if (ans != 'y') {
 	vmsg("目前的 PASSWDS 檔沒有此 ID，請先新增此帳號");
 	return -1;
     }
@@ -259,9 +260,9 @@ setperms(unsigned int pbits, const char * const pstring[])
 static void
 AddingChessCountryFiles(const char* apath)
 {
-    char filename[256];
-    char symbolicname[256];
-    char adir[256];
+    char filename[PATHLEN];
+    char symbolicname[PATHLEN];
+    char adir[PATHLEN];
     FILE* fp;
     fileheader_t fh;
 
@@ -425,7 +426,7 @@ m_mod_board(char *bname)
     switch (*ans) {
     case 'g':
 	if (HasUserPerm(PERM_SYSOP | PERM_BOARD)) {
-	    char            path[256];
+	    char            path[PATHLEN];
 	    setbfile(genbuf, bname, FN_TICKET_LOCK);
 	    setbfile(path, bname, FN_TICKET_END);
 	    rename(genbuf, path);
diff --git a/mbbsd/announce.c b/mbbsd/announce.c
index b549a252..72a5fe8c 100644
--- a/mbbsd/announce.c
+++ b/mbbsd/announce.c
@@ -721,7 +721,7 @@ a_moveitem(menu_t * pm)
 static void
 a_delrange(menu_t * pm)
 {
-    char            fname[256];
+    char            fname[PATHLEN];
 
     snprintf(fname, sizeof(fname), "%s/.DIR", pm->path);
     del_range(0, NULL, fname);
@@ -1338,7 +1338,7 @@ void BlogMain(int num)
 		MYSQL   mysql;
 		char    cmd[256];
 		
-		sprintf(cmd, "delete from comment where "
+		snprintf(cmd, sizeof(cmd), "delete from comment where "
 			"hash='%s'&&brdname='%s'", hash, currboard);
 #ifdef DEBUG
 		vmsg(cmd);
diff --git a/mbbsd/bbs.c b/mbbsd/bbs.c
index fbe6b7ef..e2c485fe 100644
--- a/mbbsd/bbs.c
+++ b/mbbsd/bbs.c
@@ -1038,7 +1038,7 @@ b_posttype(int ent, const fileheader_t * fhdr, const char *direct)
 {
    boardheader_t  *bp;
    int i, aborted;
-   char filepath[256], genbuf[60], title[5], posttype_f, posttype[33]="";
+   char filepath[PATHLEN], genbuf[60], title[5], posttype_f, posttype[33]="";
 
    if(!(currmode & MODE_BOARD)) return DONOTHING;
    
@@ -1671,7 +1671,7 @@ hold_gamble(int ent, const fileheader_t * fhdr, const char *direct)
 static int
 cite_post(int ent, const fileheader_t * fhdr, const char *direct)
 {
-    char            fpath[256];
+    char            fpath[PATHLEN];
     char            title[TTLEN + 1];
 
     setbfile(fpath, currboard, fhdr->filename);
@@ -1753,7 +1753,7 @@ static int
 do_add_recommend(const char *direct, fileheader_t *fhdr,
 		 int ent, const char *buf, int type)
 {
-    char    path[256];
+    char    path[PATHLEN];
     int     update = 0;
     /*
       race here:
@@ -1800,7 +1800,7 @@ static int
 do_bid(int ent, fileheader_t * fhdr, const boardheader_t  *bp,
        const char *direct,  const struct tm *ptime)
 {
-    char            genbuf[200], fpath[256],say[30],*money;
+    char            genbuf[200], fpath[PATHLEN],say[30],*money;
     bid_t           bidinfo;
     int             mymax, next;
 
@@ -2213,7 +2213,7 @@ del_range(int ent, const fileheader_t *fhdr, const char *direct)
 static int
 del_post(int ent, fileheader_t * fhdr, char *direct)
 {
-    char            genbuf[100], newpath[256];
+    char            genbuf[100], newpath[PATHLEN];
     int             not_owned, tusernum;
     boardheader_t  *bp;
 
diff --git a/mbbsd/cache.c b/mbbsd/cache.c
index 79197183..b76d69da 100644
--- a/mbbsd/cache.c
+++ b/mbbsd/cache.c
@@ -673,18 +673,18 @@ void
 setbottomtotal(int bid)
 {
     boardheader_t  *bh = getbcache(bid);
-    char            genbuf[256];
+    char            fname[PATHLEN];
     int             n;
 
     if(!bh->brdname[0]) return;
-    setbfile(genbuf, bh->brdname, ".DIR.bottom");
-    n = get_num_records(genbuf, sizeof(fileheader_t));
+    setbfile(fname, bh->brdname, ".DIR.bottom");
+    n = get_num_records(fname, sizeof(fileheader_t));
     if(n>5)
       {
 #ifdef DEBUG_BOTTOM
-        log_file("fix_bottom", LOG_CREAT | LOG_VF, "%s n:%d\n", genbuf, n);
+        log_file("fix_bottom", LOG_CREAT | LOG_VF, "%s n:%d\n", fname, n);
 #endif
-        unlink(genbuf);
+        unlink(fname);
         SHM->n_bottom[bid-1]=0;
       }
     else
diff --git a/mbbsd/chess.c b/mbbsd/chess.c
index 7cb9290d..e131459d 100644
--- a/mbbsd/chess.c
+++ b/mbbsd/chess.c
@@ -796,16 +796,16 @@ ChessGenLogGlobal(ChessInfo* info, ChessGameResult result)
 {
     fileheader_t log_header;
     FILE        *fp;
-    char         buf[256];
+    char         fname[PATHLEN];
     int          bid;
 
     if ((bid = getbnum(info->constants->log_board)) == 0)
 	return;
 
-    setbpath(buf, info->constants->log_board);
-    stampfile(buf, &log_header);
+    setbpath(fname, info->constants->log_board);
+    stampfile(fname, &log_header);
 
-    fp = fopen(buf, "w");
+    fp = fopen(fname, "w");
     if (fp != NULL) {
 	info->actions->genlog(info, fp, result);
 	fclose(fp);
@@ -814,8 +814,8 @@ ChessGenLogGlobal(ChessInfo* info, ChessGameResult result)
 	snprintf(log_header.title, sizeof(log_header.title), "[棋譜] %s VS %s",
 		info->user1.userid, info->user2.userid);
 
-	setbdir(buf, info->constants->log_board);
-	append_record(buf, &log_header, sizeof(log_header));
+	setbdir(fname, info->constants->log_board);
+	append_record(fname, &log_header, sizeof(log_header));
 
 	setbtotal(bid);
     }
@@ -826,12 +826,12 @@ ChessGenLogUser(ChessInfo* info, ChessGameResult result)
 {
     fileheader_t log_header;
     FILE        *fp;
-    char         buf[256];
+    char         fname[PATHLEN];
 
-    sethomepath(buf, cuser.userid);
-    stampfile(buf, &log_header);
+    sethomepath(fname, cuser.userid);
+    stampfile(fname, &log_header);
 
-    fp = fopen(buf, "w");
+    fp = fopen(fname, "w");
     if (fp != NULL) {
 	info->actions->genlog(info, fp, result);
 	fclose(fp);
@@ -846,8 +846,8 @@ ChessGenLogUser(ChessInfo* info, ChessGameResult result)
 		    info->user2.userid, info->user1.userid);
 	log_header.filemode = 0;
 
-	sethomedir(buf, cuser.userid);
-	append_record_forward(buf, &log_header, sizeof(log_header),
+	sethomedir(fname, cuser.userid);
+	append_record_forward(fname, &log_header, sizeof(log_header),
 		cuser.userid);
 
 	mailalert(cuser.userid);
diff --git a/mbbsd/mail.c b/mbbsd/mail.c
index dd69aba9..f5d44c48 100644
--- a/mbbsd/mail.c
+++ b/mbbsd/mail.c
@@ -782,7 +782,7 @@ read_new_mail(void * voidfptr, void *optarg)
     fileheader_t *fptr=(fileheader_t*)voidfptr;
     struct ReadNewMailArg *arg=(struct ReadNewMailArg*)optarg;
     char            done = NA, delete_it;
-    char            fname[256];
+    char            fname[PATHLEN];
     char            genbuf[4];
 
     arg->idc++;
@@ -1313,7 +1313,7 @@ mail_man(void)
 static int
 mail_cite(int ent, fileheader_t * fhdr, const char *direct)
 {
-    char            fpath[256];
+    char            fpath[PATHLEN];
     char            title[TTLEN + 1];
     static char     xboard[20];
     char            buf[20];
@@ -1354,7 +1354,7 @@ mail_cite(int ent, fileheader_t * fhdr, const char *direct)
 static int
 mail_save(int ent, fileheader_t * fhdr, const char *direct)
 {
-    char            fpath[256];
+    char            fpath[PATHLEN];
     char            title[TTLEN + 1];
 
     if (HasUserPerm(PERM_MAILLIMIT)) {
@@ -1561,7 +1561,7 @@ m_read(void)
 static int
 send_inner_mail(const char *fpath, const char *title, const char *receiver)
 {
-    char            genbuf[256];
+    char            fname[PATHLEN];
     fileheader_t    mymail;
     char            rightid[IDLEN+1];
 
@@ -1569,18 +1569,18 @@ send_inner_mail(const char *fpath, const char *title, const char *receiver)
 	return -2;
 
     /* to avoid DDOS of disk */
-    sethomedir(genbuf, rightid);
+    sethomedir(fname, rightid);
     if (strcmp(rightid, cuser.userid) == 0) {
 	if (chk_mailbox_limit())
 	    return -2;
     }
     // XXX should we use MAX_EXKEEPMAIL instead?
-    else if (dashs(genbuf) >= 2048 * sizeof(fileheader_t)) {
+    else if (dashs(fname) >= 2048 * sizeof(fileheader_t)) {
 	return -2;
     }
 
-    sethomepath(genbuf, rightid);
-    stampfile(genbuf, &mymail);
+    sethomepath(fname, rightid);
+    stampfile(fname, &mymail);
     if (!strcmp(rightid, cuser.userid)) {
 	/* Using BBSNAME may be too loooooong. */
 	strlcpy(mymail.owner, "[站內]", sizeof(mymail.owner));
@@ -1588,10 +1588,10 @@ send_inner_mail(const char *fpath, const char *title, const char *receiver)
     } else
 	strlcpy(mymail.owner, cuser.userid, sizeof(mymail.owner));
     strncpy(mymail.title, title, TTLEN);
-    unlink(genbuf);
-    Copy(fpath, genbuf);
-    sethomedir(genbuf, rightid);
-    return append_record_forward(genbuf, &mymail, sizeof(mymail), rightid);
+    unlink(fname);
+    Copy(fpath, fname);
+    sethomedir(fname, rightid);
+    return append_record_forward(fname, &mymail, sizeof(mymail), rightid);
 }
 
 #include <netdb.h>
diff --git a/mbbsd/record.c b/mbbsd/record.c
index f244876a..0a4e9255 100644
--- a/mbbsd/record.c
+++ b/mbbsd/record.c
@@ -135,22 +135,22 @@ int
 substitute_ref_record(const char *direct, fileheader_t * fhdr, int ent)
 {
     fileheader_t    hdr;
-    char            genbuf[256];
+    char            fname[PATHLEN];
     int             num = 0;
 
     /* rocker.011018: 串接模式用reference增進效率 */
     if (!(fhdr->filemode & FILE_BOTTOM) &&  (fhdr->multi.refer.flag) &&
 	    (num = fhdr->multi.refer.ref)){
-	setdirpath(genbuf, direct, ".DIR");
-	get_record(genbuf, &hdr, sizeof(hdr), num);
+	setdirpath(fname, direct, ".DIR");
+	get_record(fname, &hdr, sizeof(hdr), num);
 	if (strcmp(hdr.filename, fhdr->filename)) {
-	    if((num = getindex(genbuf, fhdr, num))>0) {
-		substitute_record(genbuf, fhdr, sizeof(*fhdr), num);
+	    if((num = getindex(fname, fhdr, num))>0) {
+		substitute_record(fname, fhdr, sizeof(*fhdr), num);
 	    }
 	}
 	else if(num>0) {
 	    fhdr->multi.money = hdr.multi.money;
-	    substitute_record(genbuf, fhdr, sizeof(*fhdr), num);
+	    substitute_record(fname, fhdr, sizeof(*fhdr), num);
 	}
 	fhdr->multi.refer.flag = 1;
 	fhdr->multi.refer.ref = num; // Ptt: update now!
diff --git a/mbbsd/stuff.c b/mbbsd/stuff.c
index 2ec3ba1c..f5ecafa3 100644
--- a/mbbsd/stuff.c
+++ b/mbbsd/stuff.c
@@ -14,72 +14,73 @@ static char cdate_buffer[32];
 #define STR_DOTDIR  ".DIR"
 static const char * const str_dotdir = STR_DOTDIR;
 
+/* XXX set*() all assume buffer size = PATHLEN */
 void
 sethomepath(char *buf, const char *userid)
 {
-    sprintf(buf, "home/%c/%s", userid[0], userid);
+    snprintf(buf, PATHLEN, "home/%c/%s", userid[0], userid);
 }
 
 void
 sethomedir(char *buf, const char *userid)
 {
-    sprintf(buf, str_home_file, userid[0], userid, str_dotdir);
+    snprintf(buf, PATHLEN, str_home_file, userid[0], userid, str_dotdir);
 }
 
 void
 sethomeman(char *buf, const char *userid)
 {
-    sprintf(buf, str_home_file, userid[0], userid, "man");
+    snprintf(buf, PATHLEN, str_home_file, userid[0], userid, "man");
 }
 
 
 void
 sethomefile(char *buf, const char *userid, const char *fname)
 {
-    sprintf(buf, str_home_file, userid[0], userid, fname);
+    snprintf(buf, PATHLEN, str_home_file, userid[0], userid, fname);
 }
 
 void
 setuserfile(char *buf, const char *fname)
 {
-    sprintf(buf, str_home_file, cuser.userid[0], cuser.userid, fname);
+    snprintf(buf, PATHLEN, str_home_file, cuser.userid[0], cuser.userid, fname);
 }
 
 void
 setapath(char *buf, const char *boardname)
 {
-    sprintf(buf, "man/boards/%c/%s", boardname[0], boardname);
+    snprintf(buf, PATHLEN, "man/boards/%c/%s", boardname[0], boardname);
 }
 
 void
 setadir(char *buf, const char *path)
 {
-    sprintf(buf, "%s/%s", path, str_dotdir);
+    snprintf(buf, PATHLEN, "%s/%s", path, str_dotdir);
 }
 
 void
 setbpath(char *buf, const char *boardname)
 {
-    sprintf(buf, "boards/%c/%s", boardname[0], boardname);
+    snprintf(buf, PATHLEN, "boards/%c/%s", boardname[0], boardname);
 }
 
 void
 setbdir(char *buf, const char *boardname)
 {
-    sprintf(buf, str_board_file, boardname[0], boardname,
+    snprintf(buf, PATHLEN, str_board_file, boardname[0], boardname,
 	    (currmode & MODE_DIGEST ? fn_mandex : str_dotdir));
 }
 
 void
 setbfile(char *buf, const char *boardname, const char *fname)
 {
-    sprintf(buf, str_board_file, boardname[0], boardname, fname);
+    snprintf(buf, PATHLEN, str_board_file, boardname[0], boardname, fname);
 }
 
 void
 setbnfile(char *buf, const char *boardname, const char *fname, int n)
 {
-    sprintf(buf, str_board_n_file, boardname[0], boardname, fname, n);
+    snprintf(buf, PATHLEN, str_board_n_file, boardname[0], boardname, fname, n);
 }
 
 /*
@@ -94,7 +95,7 @@ setdirpath(char *buf, const char *direct, const char *fname)
     strcpy(buf, direct);
     p = strrchr(buf, '/');
     assert(p);
-    strcpy(p + 1, fname);
+    strlcpy(p + 1, fname, PATHLEN-(p+1-buf));
 }
 
 /**
@@ -188,10 +189,10 @@ invalid_pname(const char *str)
     while (*p1) {
 	if (!(p2 = strchr(p1, '/')))
 	    p2 = str + strlen(str);
-	if (p1 + 1 > p2 || p1 + strspn(p1, ".") == p2)
+	if (p1 + 1 > p2 || p1 + strspn(p1, ".") == p2) /* 不允許用 / 開頭, 或是 // 之間只有 . */
 	    return 1;
 	for (p3 = p1; p3 < p2; p3++)
-	    if (not_alnum(*p3) && !strchr("@[]-._", *p3))
+	    if (not_alnum(*p3) && !strchr("@[]-._", *p3)) /* 只允許 alnum 或這些符號 */
 		return 1;
 	p1 = p2 + (*p2 ? 1 : 0);
     }
@@ -371,12 +372,12 @@ static int copy_file_to_file(const char *src, const char *dst)
 
 static int copy_file_to_dir(const char *src, const char *dst)
 {
-    char buf[256];
+    char buf[PATHLEN];
     char *slash;
     if ((slash = rindex(src, '/')) == NULL)
-	sprintf(buf, "%s/%s", dst, src);
+	snprintf(buf, PATHLEN, "%s/%s", dst, src);
     else
-	sprintf(buf, "%s/%s", dst, slash);
+	snprintf(buf, PATHLEN, "%s/%s", dst, slash);
     return copy_file_to_file(src, buf);
 }
 
@@ -385,7 +386,7 @@ static int copy_dir_to_dir(const char *src, const char *dst)
     DIR *dir;
     struct dirent *entry;
     struct stat st;
-    char buf[256], buf2[256];
+    char buf[PATHLEN], buf2[PATHLEN];
 
     if (stat(dst, &st) < 0)
 	if (mkdir(dst, 0700) < 0)
@@ -398,8 +399,8 @@ static int copy_dir_to_dir(const char *src, const char *dst)
 	if (strcmp(entry->d_name, ".") == 0 ||
 	    strcmp(entry->d_name, "..") == 0)
 	    continue;
-	sprintf(buf, "%s/%s", src, entry->d_name);
-	sprintf(buf2, "%s/%s", dst, entry->d_name);
+	snprintf(buf, PATHLEN, "%s/%s", src, entry->d_name);
+	snprintf(buf2, PATHLEN, "%s/%s", dst, entry->d_name);
 	if (stat(buf, &st) < 0)
 	    continue;
 	if (S_ISDIR(st.st_mode))
diff --git a/mbbsd/syspost.c b/mbbsd/syspost.c
index 8849b2aa..447e00e3 100644
--- a/mbbsd/syspost.c
+++ b/mbbsd/syspost.c
@@ -7,12 +7,12 @@ post_msg(const char *bname, const char *title, const char *msg, const char *auth
     FILE           *fp;
     int             bid;
     fileheader_t    fhdr;
-    char            genbuf[256];
+    char            fname[PATHLEN];
 
     /* 在 bname 板發表新文章 */
-    setbpath(genbuf, bname);
-    stampfile(genbuf, &fhdr);
-    fp = fopen(genbuf, "w");
+    setbpath(fname, bname);
+    stampfile(fname, &fhdr);
+    fp = fopen(fname, "w");
 
     if (!fp)
 	return -1;
@@ -27,8 +27,8 @@ post_msg(const char *bname, const char *title, const char *msg, const char *auth
     /* 將檔案加入列表 */
     strlcpy(fhdr.title, title, sizeof(fhdr.title));
     strlcpy(fhdr.owner, author, sizeof(fhdr.owner));
-    setbdir(genbuf, bname);
-    if (append_record(genbuf, &fhdr, sizeof(fhdr)) != -1)
+    setbdir(fname, bname);
+    if (append_record(fname, &fhdr, sizeof(fhdr)) != -1)
 	if ((bid = getbnum(bname)) > 0)
 	    setbtotal(bid);
     return 0;