From b9539de0ffa696b5f8debe2d3e91e4eab81004fa Mon Sep 17 00:00:00 2001
From: kcwu <kcwu@63ad8ddf-47c3-0310-b6dd-a9e9d9715204>
Date: Thu, 20 Sep 2007 17:18:53 +0000
Subject:  * fix bug: don't getdata() on non-local variable directly, to avoid
 reentrant crash.

git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@3564 63ad8ddf-47c3-0310-b6dd-a9e9d9715204
---
 mbbsd/bbs.c       | 29 +++++++++++++++++------------
 mbbsd/cal.c       |  4 +++-
 mbbsd/chicken.c   |  9 ++++++---
 mbbsd/lovepaper.c |  8 ++++----
 mbbsd/mail.c      | 12 ++++++++----
 mbbsd/talk.c      |  4 +++-
 6 files changed, 41 insertions(+), 25 deletions(-)

(limited to 'mbbsd')

diff --git a/mbbsd/bbs.c b/mbbsd/bbs.c
index cc9a893f..263fe384 100644
--- a/mbbsd/bbs.c
+++ b/mbbsd/bbs.c
@@ -638,16 +638,19 @@ do_reply_title(int row, const char *title)
 {
     char            genbuf[200];
     char            genbuf2[4];
+    char            tmp_title[STRLEN];
 
     if (strncasecmp(title, str_reply, 4))
-	snprintf(save_title, sizeof(save_title), "Re: %s", title);
+	snprintf(tmp_title, sizeof(tmp_title), "Re: %s", title);
     else
-	strlcpy(save_title, title, sizeof(save_title));
-    save_title[TTLEN - 1] = '\0';
-    snprintf(genbuf, sizeof(genbuf), "採用原標題《%.60s》嗎?[Y] ", save_title);
+	strlcpy(tmp_title, title, sizeof(tmp_title));
+    tmp_title[TTLEN - 1] = '\0';
+    snprintf(genbuf, sizeof(genbuf), "採用原標題《%.60s》嗎?[Y] ", tmp_title);
     getdata(row, 0, genbuf, genbuf2, 4, LCECHO);
     if (genbuf2[0] == 'n' || genbuf2[0] == 'N')
-	getdata(++row, 0, "標題：", save_title, TTLEN, DOECHO);
+	getdata(++row, 0, "標題：", tmp_title, TTLEN, DOECHO);
+    // don't getdata() on non-local variable save_title directly, to avoid reentrant crash.
+    strlcpy(save_title, tmp_title, sizeof(save_title));
 }
 /*
 static void
@@ -838,6 +841,7 @@ do_general(int isbid)
     if (quote_file[0])
 	do_reply_title(20, currtitle);
     else {
+	char tmp_title[STRLEN];
 	if (!isbid) {
 	    move(21,0);
 	    outs("種類：");
@@ -847,24 +851,25 @@ do_general(int isbid)
 	    for(aborted=0; aborted<i; aborted++)
 		prints("%d.%4.4s ", aborted+1, ctype[aborted]);
 	    sprintf(buf,"(1-%d或不選)",i);
-	    getdata(21, 6+7*i, buf, save_title, 3, LCECHO); 
-	    posttype = save_title[0] - '1';
+	    getdata(21, 6+7*i, buf, tmp_title, 3, LCECHO); 
+	    posttype = tmp_title[0] - '1';
 	    if (posttype >= 0 && posttype < i)
-		snprintf(save_title, sizeof(save_title),
+		snprintf(tmp_title, sizeof(tmp_title),
 			"[%s] ", ctype[posttype]);
 	    else
 	    {
-		save_title[0] = '\0';
+		tmp_title[0] = '\0';
 		posttype=-1;
 	    }
 	}
-	getdata_buf(22, 0, "標題：", save_title, TTLEN, DOECHO);
-	strip_ansi(save_title, save_title, STRIP_ALL);
-	if( strcmp(save_title, "[711iB] 增加上站次數程式") == 0 ){
+	getdata_buf(22, 0, "標題：", tmp_title, TTLEN, DOECHO);
+	strip_ansi(tmp_title, tmp_title, STRIP_ALL);
+	if( strcmp(tmp_title, "[711iB] 增加上站次數程式") == 0 ){
 	    cuser.userlevel |= PERM_VIOLATELAW;
 	    sleep(60);
 	    u_exit("bad program");
 	}
+	strlcpy(save_title, tmp_title, sizeof(save_title));
     }
     if (save_title[0] == '\0')
 	return FULLUPDATE;
diff --git a/mbbsd/cal.c b/mbbsd/cal.c
index 4fad13ff..faafe2b5 100644
--- a/mbbsd/cal.c
+++ b/mbbsd/cal.c
@@ -300,14 +300,16 @@ p_cloak(void)
 int
 p_from(void)
 {
+    char tmp_from[sizeof(currutmp->from)];
     if (getans("確定要改故鄉?[y/N]") != 'y')
 	return 0;
     reload_money();
     if (cuser.money < 49)
 	return 0;
     if (getdata_buf(b_lines - 1, 0, "請輸入新故鄉:",
-		    currutmp->from, sizeof(currutmp->from), DOECHO)) {
+		    tmp_from, sizeof(tmp_from), DOECHO)) {
 	vice(49, "更改故鄉");
+	strlcpy(currutmp->from, tmp_from, sizeof(currutmp->from));
 	currutmp->from_alias = 0;
     }
     return 0;
diff --git a/mbbsd/chicken.c b/mbbsd/chicken.c
index d57a3bfe..f73d8c5a 100644
--- a/mbbsd/chicken.c
+++ b/mbbsd/chicken.c
@@ -101,6 +101,7 @@ new_chicken(void)
 {
     chicken_t *mychicken = &cuser.mychicken;
     int             price, i;
+    char tmp_name[sizeof(mychicken->name)];
 
     clear();
     move(2, 0);
@@ -128,9 +129,11 @@ new_chicken(void)
 	return 0;
     }
     vice(price, "寵物蛋");
-    while (strlen(mychicken->name) < 3)
-	getdata(8, 0, "幫牠取個好名字：", mychicken->name,
-		sizeof(mychicken->name), DOECHO);
+    strlcpy(tmp_name, mychicken->name, sizeof(tmp_name));
+    while (strlen(tmp_name) < 3)
+	getdata(8, 0, "幫牠取個好名字：", tmp_name,
+		sizeof(tmp_name), DOECHO);
+    strlcpy(mychicken->name, tmp_name, sizeof(mychicken->name));
 
     log_file(CHICKENLOG, LOG_CREAT | LOG_VF,
               ANSI_COLOR(31) "%s " ANSI_RESET "養了一隻叫" ANSI_COLOR(33) " %s " ANSI_RESET "的 "
diff --git a/mbbsd/lovepaper.c b/mbbsd/lovepaper.c
index 8e9f5267..7cb49c12 100644
--- a/mbbsd/lovepaper.c
+++ b/mbbsd/lovepaper.c
@@ -5,7 +5,7 @@
 int
 x_love(void)
 {
-    char            buf1[200], save_title[TTLEN + 1];
+    char            buf1[200], title[TTLEN + 1];
     char            receiver[61], path[STRLEN] = "home/";
     int             x, y = 0, tline = 0, poem = 0;
     FILE           *fp, *fpo;
@@ -26,8 +26,8 @@ x_love(void)
     if (!getdata(7, 0, "收信人：", receiver, sizeof(receiver), DOECHO))
 	return 0;
     if (receiver[0] && !(searchuser(receiver, receiver) &&
-			 getdata(8, 0, "主  題：", save_title,
-				 sizeof(save_title), DOECHO))) {
+			 getdata(8, 0, "主  題：", title,
+				 sizeof(title), DOECHO))) {
 	move(10, 0);
 	vmsg("收信人或主題不正確,情書無法傳遞");
 	return 0;
@@ -94,7 +94,7 @@ x_love(void)
 	sethomepath(buf1, receiver);
 	stampfile(buf1, &mhdr);
 	Rename(path, buf1);
-	strlcpy(mhdr.title, save_title, sizeof(mhdr.title));
+	strlcpy(mhdr.title, title, sizeof(mhdr.title));
 	strlcpy(mhdr.owner, cuser.userid, sizeof(mhdr.owner));
 	sethomedir(path, receiver);
 	if (append_record(path, &mhdr, sizeof(mhdr)) == -1)
diff --git a/mbbsd/mail.c b/mbbsd/mail.c
index 2cc3e886..49d66859 100644
--- a/mbbsd/mail.c
+++ b/mbbsd/mail.c
@@ -179,12 +179,13 @@ int
 m_internet(void)
 {
     char            receiver[60];
+    char title[STRLEN];
 
     getdata(20, 0, "收信人：", receiver, sizeof(receiver), DOECHO);
     trim(receiver);
     if (strchr(receiver, '@') && !invalidaddr(receiver) &&
-	getdata(21, 0, "主  題：", save_title, STRLEN, DOECHO))
-	do_send(receiver, save_title);
+	getdata(21, 0, "主  題：", title, sizeof(title), DOECHO))
+	do_send(receiver, title);
     else {
 	vmsg("收信人或主題不正確,請重新選取指令");
     }
@@ -338,8 +339,11 @@ do_send(const char *userid, const char *title)
     /* process title */
     if (title)
 	strlcpy(save_title, title, sizeof(save_title));
-    else
-	getdata(2, 0, "主題：", save_title, STRLEN - 20, DOECHO);
+    else {
+	char tmp_title[STRLEN-20];
+	getdata(2, 0, "主題：", tmp_title, sizeof(tmp_title), DOECHO);
+	strlcpy(save_title, tmp_title, sizeof(save_title));
+    }
 
     setutmpmode(SMAIL);
 
diff --git a/mbbsd/talk.c b/mbbsd/talk.c
index e2bc8354..85d1300b 100644
--- a/mbbsd/talk.c
+++ b/mbbsd/talk.c
@@ -2911,8 +2911,10 @@ userlist(void)
 
 	    case 'N':
 		if (HasUserPerm(PERM_LOGINOK)) {
+		    char tmp_nick[sizeof(cuser.nickname)];
 		    oldgetdata(1, 0, "新的暱稱: ",
-			    cuser.nickname, sizeof(cuser.nickname), DOECHO);
+			    tmp_nick, sizeof(tmp_nick), DOECHO);
+		    strlcpy(cuser.nickname, tmp_nick, sizeof(cuser.nickname));
 		    strcpy(currutmp->nickname, cuser.nickname);
 		    redrawall = redraw = 1;
 		}
-- 
cgit v1.2.3