* room_ops.c: exploitable overrun fixes

diff --git a/citadel/ChangeLog b/citadel/ChangeLog
index d4ca51e49b0282a06e981b23e3e17072edbf803b..653d59a5f4ed55f6276aa2b72a990c2380cdb9c2 100644 (file)
--- a/citadel/ChangeLog
+++ b/citadel/ChangeLog
@@ -1,5 +1,6 @@
 1998-10-16 Nathan Bryant <bryant@cs.usm.maine.edu>
        * sysdep.c (cprintf): generate a newline on truncated buffer
+       * room_ops.c: exploitable overrun fixes
 
 Thu Oct 15 19:27:32 EDT 1998 Art Cancro <ajc@uncnsrd.mt-kisco.ny.us>
        * msgbase.c: reimplemented cmd_move()

diff --git a/citadel/room_ops.c b/citadel/room_ops.c
index 241d158763c886bef7a779c49e317037f7ea5911..4a328f2b4b8469f64ca7a2a36500cc6d771aab4d 100644 (file)
--- a/citadel/room_ops.c
+++ b/citadel/room_ops.c
@@ -111,9 +111,10 @@ int getroom(struct quickroom *qrbuf, char *room_name)
        char lowercase_name[ROOMNAMELEN];
        int a;
 
-       for (a=0; a<=strlen(room_name); ++a) {
+       for (a=0; room_name[a] && a < sizeof lowercase_name - 1; ++a) {
                lowercase_name[a] = tolower(room_name[a]);
                }
+       lowercase_name[sizeof lowercase_name - 1] = 0;
 
        memset(qrbuf, 0, sizeof(struct quickroom));
        cdbqr = cdb_fetch(CDB_QUICKROOM,
@@ -716,7 +717,7 @@ void cmd_goto(char *gargs)
        int c;
        int ok = 0;
        int ra;
-       char bbb[ROOMNAMELEN],towhere[32],password[20];
+       char bbb[ROOMNAMELEN],towhere[256],password[256];
 
        if ((!(CC->logged_in)) && (!(CC->internal_pgm))) {
                cprintf("%d not logged in\n",ERROR+NOT_LOGGED_IN);