src/syncterm/ripper.c - Historico da BBS TELESC.NET.BR

BBS:      TELESC.NET.BR
Assunto:  src/syncterm/ripper.c
De:       Deuc¨
Data:     Sun, 15 Mar 2026 01:06:05 -0700
-----------------------------------------------------------
https://gitlab.synchro.net/main/sbbs/-/commit/bb2238f684befe43deb34cea
Modified Files:
	src/syncterm/ripper.c
Log Message:
Fix heap buffer overflows in ripper.c RIPscrip command handling

Four strcat() calls append RIPscrip arguments (from the remote server)
to cache_path[MAX_PATH+1] without checking whether the result fits.
The path-traversal guards reject "..", "/", and "\" but do not limit
length.  A long filename from a malicious RIPscrip server overflows
the buffer.

Changed to strlcat(cache_path, ..., sizeof(cache_path)) at all four
sites: file-query (&args[6]), icon-load (&args[9] + ".ICN"), and
icon-save (&args[1]).  The existing SkyPix download path already had
a strlen() guard and was not affected.

Co-Authored-By: Claude Opus 4.6 
n
---
  mSynchronetn  hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net

-----------------------------------------------------------
[Voltar]