Index: src/midas.c =================================================================== RCS file: /usr/local/cvsroot/midas/src/midas.c,v retrieving revision 1.203 diff -u -r1.203 midas.c --- src/midas.c 19 Mar 2004 09:58:22 -0000 1.203 +++ src/midas.c 31 Mar 2004 05:11:00 -0000 @@ -14814,8 +14814,9 @@ \********************************************************************/ /********************************************************************/ -void el_decode(char *message, char *key, char *result) +void el_decode(char *message, char *key, char *result, int size) { + char *rstart = result; char *pc; if (result == NULL) @@ -14828,6 +14829,8 @@ *result++ = *pc++; *result = 0; } + + assert(strlen(rstart) < size); } /**dox***************************************************************/ @@ -15020,9 +15023,9 @@ size = atoi(str + 9); read(fh, message, size); - el_decode(message, "Date: ", date); - el_decode(message, "Thread: ", thread); - el_decode(message, "Attachment: ", attachment); + el_decode(message, "Date: ", date, sizeof(date)); + el_decode(message, "Thread: ", thread, sizeof(thread)); + el_decode(message, "Attachment: ", attachment, sizeof(attachment)); /* buffer tail of logfile */ lseek(fh, 0, SEEK_END); @@ -15092,7 +15095,7 @@ sprintf(message + strlen(message), "========================================\n"); strcat(message, text); - assert(strlen(message) < sizeof(message)); // bomb out on array overrun. + assert(strlen(message) < sizeof(message)); /* bomb out on array overrun. */ size = 0; sprintf(start_str, "$Start$: %6d\n", size); @@ -15104,6 +15107,9 @@ sprintf(tag, "%02d%02d%02d.%d", tms->tm_year % 100, tms->tm_mon + 1, tms->tm_mday, (int) TELL(fh)); + /* size has to fit in 6 digits */ + assert(size < 999999); + sprintf(start_str, "$Start$: %6d\n", size); sprintf(end_str, "$End$: %6d\n\f", size); @@ -15339,13 +15345,20 @@ return EL_FILE_ERROR; } - if (strncmp(str, "$End$: ", 7) == 0) { - size = atoi(str + 7); - lseek(*fh, -size, SEEK_CUR); - } else { + if (strncmp(str, "$End$: ", 7) != 0) { close(*fh); return EL_FILE_ERROR; } + + /* make sure the input string to atoi() is zero-terminated: + * $End$: 355garbage + * 01234567890123456789 */ + str[15] = 0; + + size = atoi(str + 7); + assert(size > 15); + + lseek(*fh, -size, SEEK_CUR); /* adjust tag */ sprintf(strchr(tag, '.') + 1, "%d", (int) TELL(*fh)); @@ -15364,14 +15377,21 @@ } lseek(*fh, -15, SEEK_CUR); - if (strncmp(str, "$Start$: ", 9) == 0) { - size = atoi(str + 9); - lseek(*fh, size, SEEK_CUR); - } else { + if (strncmp(str, "$Start$: ", 9) != 0) { close(*fh); return EL_FILE_ERROR; } + /* make sure the input string to atoi() is zero-terminated + * $Start$: 606garbage + * 01234567890123456789 */ + str[15] = 0; + + size = atoi(str+9); + assert(size > 15); + + lseek(*fh, size, SEEK_CUR); + /* if EOF, goto next day */ i = read(*fh, str, 15); if (i < 15) { @@ -15444,7 +15464,7 @@ \********************************************************************/ { - int size, fh, offset, search_status; + int size, fh = 0, offset, search_status, rd; char str[256], *p; char message[10000], thread[256], attachment_all[256]; @@ -15462,10 +15482,24 @@ /* extract message size */ offset = TELL(fh); - read(fh, str, 16); - size = atoi(str + 9); + rd = read(fh, str, 15); + assert(rd == 15); + + /* make sure the input string is zero-terminated before we call atoi() */ + str[15] = 0; + + /* get size */ + size = atoi(str+9); + + assert(strncmp(str,"$Start$:",8) == 0); + assert(size > 15); + assert(size < sizeof(message)); + memset(message, 0, sizeof(message)); - read(fh, message, size); + + rd = read(fh, message, size); + assert(rd > 0); + assert((rd+15 == size)||(rd == size)); close(fh); @@ -15473,14 +15507,14 @@ if (strstr(message, "Run: ") && run) *run = atoi(strstr(message, "Run: ") + 5); - el_decode(message, "Date: ", date); - el_decode(message, "Thread: ", thread); - el_decode(message, "Author: ", author); - el_decode(message, "Type: ", type); - el_decode(message, "System: ", system); - el_decode(message, "Subject: ", subject); - el_decode(message, "Attachment: ", attachment_all); - el_decode(message, "Encoding: ", encoding); + el_decode(message, "Date: ", date, 80); /* size from show_elog_submit_query() */ + el_decode(message, "Thread: ", thread, sizeof(thread)); + el_decode(message, "Author: ", author, 80); /* size from show_elog_submit_query() */ + el_decode(message, "Type: ", type, 80); /* size from show_elog_submit_query() */ + el_decode(message, "System: ", system, 80); /* size from show_elog_submit_query() */ + el_decode(message, "Subject: ", subject, 256); /* size from show_elog_submit_query() */ + el_decode(message, "Attachment: ", attachment_all, sizeof(attachment_all)); + el_decode(message, "Encoding: ", encoding, 80); /* size from show_elog_submit_query() */ /* break apart attachements */ if (attachment1 && attachment2 && attachment3) { @@ -15496,6 +15530,10 @@ strcpy(attachment3, p); } } + + assert(strlen(attachment1) < 256); /* size from show_elog_submit_query() */ + assert(strlen(attachment2) < 256); /* size from show_elog_submit_query() */ + assert(strlen(attachment3) < 256); /* size from show_elog_submit_query() */ } /* conver thread in reply-to and reply-from */