From 1de3f1bc78cbdc0390453bd9c4be53567f84cb2c Mon Sep 17 00:00:00 2001 From: piaip Date: Wed, 25 Jan 2012 13:16:07 +0000 Subject: Fix buffer overflow in register.c, again. git-svn-id: http://opensvn.csie.org/pttbbs/trunk@5523 63ad8ddf-47c3-0310-b6dd-a9e9d9715204 --- pttbbs/mbbsd/register.c | 50 +++++++++++++++++++++++++------------------------ 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/pttbbs/mbbsd/register.c b/pttbbs/mbbsd/register.c index f549a98c..2b0942b4 100644 --- a/pttbbs/mbbsd/register.c +++ b/pttbbs/mbbsd/register.c @@ -1442,31 +1442,33 @@ print_regform_entry(const RegformEntry *pre, FILE *fp, int close) return 1; } +// The size to hold concat_regform_entry_localized +#define REGFORM_LOCALIZED_ENTRIES_BUFSIZE (10 * STRLEN) + static int concat_regform_entry_localized(const RegformEntry *pre, char *result, int maxlen) { int len = strlen(result); - len += snprintf(result + len, maxlen - len, "使用者ID: %s\n", pre->u.userid); - assert(len <= maxlen); - len += snprintf(result + len, maxlen - len, "真實姓名: %s\n", pre->u.realname); - assert(len <= maxlen); - len += snprintf(result + len, maxlen - len, "職業學校: %s\n", pre->u.career); - assert(len <= maxlen); - len += snprintf(result + len, maxlen - len, "目前住址: %s\n", pre->u.address); - assert(len <= maxlen); - len += snprintf(result + len, maxlen - len, "電話號碼: %s\n", pre->u.phone); - assert(len <= maxlen); - len += snprintf(result + len, maxlen - len, "上站位置: %s\n", pre->u.lasthost); - assert(len <= maxlen); - len += snprintf(result + len, maxlen - len, "----\n"); + snprintf(result + len, maxlen - len, "使用者ID: %s\n", pre->u.userid); + len = strlen(result); + snprintf(result + len, maxlen - len, "真實姓名: %s\n", pre->u.realname); + len = strlen(result); + snprintf(result + len, maxlen - len, "職業學校: %s\n", pre->u.career); + len = strlen(result); + snprintf(result + len, maxlen - len, "目前住址: %s\n", pre->u.address); + len = strlen(result); + snprintf(result + len, maxlen - len, "電話號碼: %s\n", pre->u.phone); + len = strlen(result); + snprintf(result + len, maxlen - len, "上站位置: %s\n", pre->u.lasthost); + len = strlen(result); + snprintf(result + len, maxlen - len, "----\n"); return 1; } static int print_regform_entry_localized(const RegformEntry *pre, FILE *fp) { - // This buf must be large enough for concat_regform_entry_localized - char buf[STRLEN * 10]; + char buf[REGFORM_LOCALIZED_ENTRIES_BUFSIZE]; buf[0] = '\0'; concat_regform_entry_localized(pre, buf, sizeof(buf)); fputs(buf, fp); @@ -1532,7 +1534,7 @@ regform_log2board(const RegformEntry *pre, char accepted, char *title2 = NULL; // The message may contain ANSI escape sequences (regform_concat_reasons) - char msg[ANSILINELEN * REJECT_REASONS]; + char msg[ANSILINELEN * REJECT_REASONS + REGFORM_LOCALIZED_ENTRIES_BUFSIZE]; snprintf(title, sizeof(title), "[審核] %s: %s (%s: %s)", @@ -1564,7 +1566,7 @@ regform_log2file(const RegformEntry *pre, char accepted, { #ifdef FN_ID_RECORD // The message may contain ANSI escape sequences (regform_concat_reasons) - char msg[ANSILINELEN * REJECT_REASONS]; + char msg[ANSILINELEN * REJECT_REASONS + REGFORM_LOCALIZED_ENTRIES_BUFSIZE]; FILE *fp; snprintf(msg, sizeof(msg), @@ -1712,15 +1714,15 @@ regform_concat_reasons(const char *reason, char *result, int maxlen) { int i = 0; for (i = 0; reason[i] && REASON_IN_ABBREV(reason[i]); i++) { - assert(len <= maxlen); - len += snprintf(result + len, maxlen - len, - ANSI_COLOR(1;33) - "[退回原因] %s" ANSI_RESET "\n", - REASON_EXPANDABBREV(reason[i])); + snprintf(result + len, maxlen - len, + ANSI_COLOR(1;33) + "[退回原因] %s" ANSI_RESET "\n", + REASON_EXPANDABBREV(reason[i])); + len = strlen(result); } } else { - len += snprintf(result + len, maxlen - len, - ANSI_COLOR(1;33) "[退回原因] %s" ANSI_RESET "\n", reason); + snprintf(result + len, maxlen - len, + ANSI_COLOR(1;33) "[退回原因] %s" ANSI_RESET "\n", reason); } } -- cgit v1.2.3