From be52635f543d1b2540bf30e27f7561c441a1974e Mon Sep 17 00:00:00 2001
From: Ralf Baechle <ralf@linux-mips.org>
Date: Wed, 26 Jul 2017 11:54:31 +0200
Subject: call: Fix possible buffer overflow.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When downloading a file with a very long filename the 80 byte buffer used
by start_ab_download() might overflow.  Increase the buffer to a sufficient
size and switch to using snprintf for double safety.

This also fixes the following warnings:

gcc -DHAVE_CONFIG_H -I. -I..     -g -O2 -Wall -MT call.o -MD -MP -MF .deps/call.Tpo -c -o call.o call.c
call.c: In function ‘cmd_call’:
call.c:1008:33: warning: ‘%s’ directive writing up to 254 bytes into a region of size 62 [-Wformat-overflow=]
   sprintf(s, "filename        : %s", gp->file_name);
                                 ^~
call.c:1008:3: note: ‘sprintf’ output between 19 and 273 bytes into a destination of size 80
   sprintf(s, "filename        : %s", gp->file_name);
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
call.c:1022:30: warning: ‘%s’ directive writing up to 254 bytes into a region of size 65 [-Wformat-overflow=]
   sprintf(s, "Unable to open %s", gp->file_name);
                              ^~
call.c:1022:3: note: ‘sprintf’ output between 16 and 270 bytes into a destination of size 80
   sprintf(s, "Unable to open %s", gp->file_name);
   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
 call/call.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'call/call.c')

diff --git a/call/call.c b/call/call.c
index 172f491..4c49cd4 100644
--- a/call/call.c
+++ b/call/call.c
@@ -910,7 +910,7 @@ static int start_ab_download(int mode, WINDOW ** swin, wint * wintab,
 	int cnt;
 	int date = 0;
 	struct tm ft;
-	char s[80];
+	char s[GP_FILENAME_SIZE + 18];
 	int time_set = 0;
 
 	for (crcst = 2; crcst < parmsbytes - 1 &&
@@ -1005,7 +1005,7 @@ static int start_ab_download(int mode, WINDOW ** swin, wint * wintab,
 		sprintf(s, "size of file    : %lu",
 			(unsigned long) gp->dwn_cnt);
 		wrdstatw(*swin, s);
-		sprintf(s, "filename        : %s", gp->file_name);
+		snprintf(s, sizeof(s), "filename        : %s", gp->file_name);
 		wrdstatw(*swin, s);
 		sprintf(s, "last mod. date  : %02i.%02i.%04i", ft.tm_mday,
 			ft.tm_mon+1 , ft.tm_year + 1900);
@@ -1019,7 +1019,7 @@ static int start_ab_download(int mode, WINDOW ** swin, wint * wintab,
 
 	if ((gp->dwn_file =
 	     open(gp->file_name, O_RDWR | O_CREAT, 0666)) == -1) {
-		sprintf(s, "Unable to open %s", gp->file_name);
+		snprintf(s, sizeof(s), "Unable to open %s", gp->file_name);
 		statline(mode, s);
 		if (write(fd, "#ABORT#\r", 8) == -1) {
 			perror("write");
-- 
cgit v1.2.3