* sysdep.c: fix infinite loop when long lines are received from the

          client; fix exploitable buffer overrun in cprintf()

diff --git a/citadel/ChangeLog b/citadel/ChangeLog
index b91f5c0757af5b77550bbb1d7d9d74f5defdeb03..6b89654deedc953dd650f8059418e4ff98dbdb93 100644 (file)
--- a/citadel/ChangeLog
+++ b/citadel/ChangeLog
@@ -8,6 +8,8 @@ Mon Oct 12 15:27:21 EDT 1998 Art Cancro <ajc@uncnsrd.mt-kisco.ny.us>
        * tools.c, tools.h: new files; misc routines used by both client and
          server go here. contains safestrncpy() at the moment.
        * rooms.c: fix several exploitable buffer overruns
+       * sysdep.c: fix infinite loop when long lines are received from the
+         client; fix exploitable buffer overrun in cprintf()
        * .cvsignore: add *.ro
 
 Sun Oct 11 23:17:48 EDT 1998 Art Cancro <ajc@uncnsrd.mt-kisco.ny.us>

diff --git a/citadel/sysdep.c b/citadel/sysdep.c
index 4ea3d9b2a5644556d6ceb6f0a5824f8a513a35f1..512e6eb5aadd0281f38bb3d84245e21d5b20886b 100644 (file)
--- a/citadel/sysdep.c
+++ b/citadel/sysdep.c
@@ -350,7 +350,7 @@ void cprintf(const char *format, ...) {
         int rc;   
    
         va_start(arg_ptr, format);   
-        rc = vsprintf(buf, format, arg_ptr);   
+        rc = vsnprintf(buf, sizeof buf, format, arg_ptr);   
         va_end(arg_ptr);   
   
        client_write(buf, strlen(buf)); 
@@ -423,6 +423,7 @@ int client_gets(char *buf)
                        buf[strlen(buf) + 1] = 0;
                        retval = client_read(&buf[strlen(buf)], 1);
                        }
+               else break;
                } while ( (buf[strlen(buf)-1] != 10) && (retval==1) );
 
        /* Strip the trailing newline.