• Help with Binkd

    From apam@21:1/125 to All on Wed Aug 30 21:09:06 2017
    Hi

    I've been messing about with WWIV today and discovered when I called wwiv's networkb with binkd, binkd would abort due to a buffer overflow.

    Seems the bug is in ftnaddr.c

    it has the following declaration

    char ext[] = "\0ext";

    then goes on to use it:

    sprintf(ext, ".%03x", fa->z);

    causes a buffer overflow, For some reason the compiler has initialized ext to be only 4 bytes whereas it's meant to be 5. I don't understand why. I usually would have declared it :

    char ext[5] = "\0ext";

    but i thought having a string in quotes would imply there is a null terminator to be added to the length of the string.

    I fixed it by doing:

    char ext[] = "\0ext\0";

    I don't really want to submit a pull request incase my thinking is wrong, but those who use binkd may want to look at it.

    Andrew



    --- ENiGMA 1/2 v0.0.7-alpha (linux; x64; 6.11.2)
    * Origin: Exotica - exoticabbs.com:8888 (21:1/125)
  • From NuSkooler@21:1/121 to apam on Wed Aug 30 08:01:04 2017
    char ext[] = "\0ext";

    A character array isn't null terminated unless you make it null terminated. In this case, you have 4 characters: a null *prefix* (\0) and 'e', 'x', 't'.



    --- ENiGMA 1/2 v0.0.7-alpha (linux; x64; 6.10.3)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)