From 669af19c94a3cbb07a26235bd19b9a55a9918dd1 Mon Sep 17 00:00:00 2001
From: Art Cancro <ajc@citadel.org>
Date: Sun, 21 Nov 1999 18:30:17 +0000
Subject: [PATCH] * Protected cmd_move() from buffer overrun (no longer crashes
 the server) * cmd_chat() -- truncate input at 100 characters to prevent
 buffer overruns.   Also handle broken client sockets properly.  (Thanks to
 DME for bug report)

---
 citadel/ChangeLog   |  6 ++++++
 citadel/msgbase.c   |  3 ++-
 citadel/serv_chat.c | 19 ++++++++++++++++---
 citadel/sysdep.c    |  3 ++-
 4 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/citadel/ChangeLog b/citadel/ChangeLog
index a99508ebc..b6a35c96a 100644
--- a/citadel/ChangeLog
+++ b/citadel/ChangeLog
@@ -1,4 +1,9 @@
 $Log$
+Revision 1.420  1999/11/21 18:30:16  ajc
+* Protected cmd_move() from buffer overrun (no longer crashes the server)
+* cmd_chat() -- truncate input at 100 characters to prevent buffer overruns.
+  Also handle broken client sockets properly.  (Thanks to DME for bug report)
+
 Revision 1.419  1999/11/19 01:57:40  ajc
 * Fixed a *serious* memory leak in the database function wrappers.
 * Updated version number to 5.60 -- run setup when installing this version.
@@ -1457,3 +1462,4 @@ Sat Jul 11 00:20:48 EDT 1998 Nathan Bryant <bryant@cs.usm.maine.edu>
 
 Fri Jul 10 1998 Art Cancro <ajc@uncnsrd.mt-kisco.ny.us>
 	* Initial CVS import 
+
diff --git a/citadel/msgbase.c b/citadel/msgbase.c
index 7c18b943c..5b37783ff 100644
--- a/citadel/msgbase.c
+++ b/citadel/msgbase.c
@@ -2078,13 +2078,14 @@ void cmd_dele(char *delstr)
 void cmd_move(char *args)
 {
 	long num;
-	char targ[32];
+	char targ[256];
 	struct quickroom qtemp;
 	int err;
 	int is_copy = 0;
 
 	num = extract_long(args, 0);
 	extract(targ, args, 1);
+	targ[ROOMNAMELEN - 1] = 0;
 	is_copy = extract_int(args, 2);
 
 	getuser(&CC->usersupp, CC->curr_user);
diff --git a/citadel/serv_chat.c b/citadel/serv_chat.c
index 88d343e0b..42134ac77 100644
--- a/citadel/serv_chat.c
+++ b/citadel/serv_chat.c
@@ -116,7 +116,8 @@ void allwrite(char *cmdbuf, int flag, char *roomname, char *username)
 		ChatQueue = ChatQueue->next;
 		phree(clptr);
 	}
-      DONE_FREEING:end_critical_section(S_CHATQUEUE);
+DONE_FREEING:
+	end_critical_section(S_CHATQUEUE);
 }
 
 
@@ -226,10 +227,22 @@ void cmd_chat(char *argbuf)
 
 	while (1) {
 		int ok_cmd;
+		int linelen;
 
 		ok_cmd = 0;
-		cmdbuf[strlen(cmdbuf) + 1] = 0;
-		retval = client_read_to(&cmdbuf[strlen(cmdbuf)], 1, 2);
+		linelen = strlen(cmdbuf);
+		if (linelen > 100) --linelen;	/* truncate too-long lines */
+		cmdbuf[linelen + 1] = 0;
+
+		retval = client_read_to(&cmdbuf[linelen], 1, 2);
+
+		if (retval < 0) {	/* socket broken? */
+			if ((CC->cs_flags & CS_STEALTH) == 0) {
+				allwrite("<disconnected>", 0,
+					CC->chat_room, NULL);
+			}
+			return;
+		}
 
 		/* if we have a complete line, do send processing */
 		if (strlen(cmdbuf) > 0)
diff --git a/citadel/sysdep.c b/citadel/sysdep.c
index 7d7b1d043..e34211911 100644
--- a/citadel/sysdep.c
+++ b/citadel/sysdep.c
@@ -397,7 +397,8 @@ void cprintf(const char *format, ...) {
  * Return values are:
  *	1	Requested number of bytes has been read.
  *	0	Request timed out.
- * If the socket breaks, the session is immediately terminated.
+ *	-1	The socket is broken.
+ * If the socket breaks, the session will be terminated.
  */
 int client_read_to(char *buf, int bytes, int timeout)
 {
-- 
2.39.2