From 89bb7d65fb1e77ccc0696a7e76b57813ea316dcb Mon Sep 17 00:00:00 2001 From: Simon Arlott Date: Sun, 25 Jun 2017 19:48:49 +0100 Subject: [PATCH] ircd: s_conf: fix use of strlcpy in strip_tabs strlcpy should be called with the size of the destination buffer, not the length of the source string. When the source is an empty string, the destination buffer isn't written at all, resulting in it trying to output uninitialised data. This could also cause a buffer overflow on very long invalid config lines. --- ircd/s_conf.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/ircd/s_conf.c b/ircd/s_conf.c index f2685bcb..37478611 100644 --- a/ircd/s_conf.c +++ b/ircd/s_conf.c @@ -1615,15 +1615,15 @@ conf_add_d_conf(struct ConfItem *aconf) } } -static char * -strip_tabs(char *dest, const char *src, size_t len) +static void +strip_tabs(char *dest, const char *src, size_t size) { char *d = dest; if(dest == NULL || src == NULL) - return NULL; + return; - rb_strlcpy(dest, src, len); + rb_strlcpy(dest, src, size); while(*d) { @@ -1631,7 +1631,6 @@ strip_tabs(char *dest, const char *src, size_t len) *d = ' '; d++; } - return dest; } /* @@ -1646,7 +1645,7 @@ yyerror(const char *msg) { char newlinebuf[BUFSIZE]; - strip_tabs(newlinebuf, yy_linebuf, strlen(yy_linebuf)); + strip_tabs(newlinebuf, yy_linebuf, sizeof(newlinebuf)); ierror("\"%s\", line %d: %s at '%s'", conffilebuf, lineno + 1, msg, newlinebuf); sendto_realops_snomask(SNO_GENERAL, L_ALL, "\"%s\", line %d: %s at '%s'",