From e8abf57867b7bb211c2f693c50887a263d5c4510 Mon Sep 17 00:00:00 2001
From: piaip <piaip@63ad8ddf-47c3-0310-b6dd-a9e9d9715204>
Date: Mon, 24 Mar 2008 13:29:51 +0000
Subject: - fix buffer overflow (due to some invalid friend file containing
 very long id)

git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@4015 63ad8ddf-47c3-0310-b6dd-a9e9d9715204
---
 mbbsd/friend.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'mbbsd/friend.c')

diff --git a/mbbsd/friend.c b/mbbsd/friend.c
index 4fbc0be3..e5d9776d 100644
--- a/mbbsd/friend.c
+++ b/mbbsd/friend.c
@@ -202,15 +202,17 @@ delete_friend_from_file(const char *file, const char *string, int  case_sensitiv
 {
     FILE *fp = NULL, *nfp = NULL;
     char fnew[PATHLEN];
-    char genbuf[STRLEN + 1];
+    char genbuf[STRLEN + 1], buf[STRLEN];
     int ret = 0;
 
-    sprintf(fnew, "%s.%3.3X", file, (unsigned int)(random() & 0xFFF));
+    snprintf(fnew, sizeof(fnew), "%s.%3.3X", file, (unsigned int)(random() & 0xFFF));
     if ((fp = fopen(file, "r")) && (nfp = fopen(fnew, "w"))) {
 	while (fgets(genbuf, sizeof(genbuf), fp))
 	    if ((genbuf[0] > ' ')) {
-		char buf[32];
+		// prevent buffer overflow
+		genbuf[sizeof(genbuf)-1] =0;
 		sscanf(genbuf, " %s", buf);
+		genbuf[sizeof(buf)-1] =0;
 		if (((case_sensitive && strcmp(buf, string)) ||
 		    (!case_sensitive && strcasecmp(buf, string))))
     		    fputs(genbuf, nfp);
-- 
cgit v1.2.3