Pat Rankin wrote:

> The `prompt' buffer in tty_yn_function still only holds QBUFSZ
> characters. But fixing the tty incarnation wouldn't be good enough;
> all the other interfaces would need to handle it too.  I think it
> should be fixed in the core instead.  Prompt strings simply should
> not be allowed to become so lengthy.

Another step in the fight against prompt sting buffer overflows.
The goes after the ones that may not have been found yet.

This makes yn_function a real core function and removes
the #define yn_function macro.

The yn_function validates the prompt string buffer being
passed prior to calling (*windowprocs.win_yn_function)(),
and if necessary, truncating it and adding "...".

This won't help if the overflow occurs in the core in
a buffer that is still QBUFSZ in size, but it will help if
a BUFSZ buffer is being passed to one of the query
functions.

diff --git a/include/extern.h b/include/extern.h
index 4c47a70b90621b02d1a1f5eca599091fa71e71e5..59c3830d61198154a22a3061e6731c5ce0b2bdb3 100644 (file)
--- a/include/extern.h
+++ b/include/extern.h
@@ -178,6 +178,7 @@ E char NDECL(readchar);
 #ifdef WIZARD
 E void NDECL(sanity_check);
 #endif
+E char FDECL(yn_function, (const char *, const char *, CHAR_P));
 
 /* ### dbridge.c ### */
 

diff --git a/include/winprocs.h b/include/winprocs.h
index 6063d283a7a42be7f3b8c7de9479f4492bf6ef5e..466a6793b47e55853ee198d6d60adf6cece9f9d2 100644 (file)
--- a/include/winprocs.h
+++ b/include/winprocs.h
@@ -108,7 +108,6 @@ extern NEARDATA struct window_procs windowprocs;
 #define nh_poskey (*windowprocs.win_nh_poskey)
 #define nhbell (*windowprocs.win_nhbell)
 #define nh_doprev_message (*windowprocs.win_doprev_message)
-#define yn_function (*windowprocs.win_yn_function)
 #define getlin (*windowprocs.win_getlin)
 #define get_ext_cmd (*windowprocs.win_get_ext_cmd)
 #define number_pad (*windowprocs.win_number_pad)
@@ -122,6 +121,12 @@ extern NEARDATA struct window_procs windowprocs;
 #define get_color_string (*windowprocs.win_get_color_string)
 #endif
 
+/* 3.4.2: There is a real yn_function() in the core now, which does
+ *        some buffer length validation on the parameters prior to
+ *        invoking the window port routine. yn_function() is in cmd.c
+ */
+/* #define yn_function (*windowprocs.win_yn_function) */
+
 /* other defs that really should go away (they're tty specific) */
 #define start_screen (*windowprocs.win_start_screen)
 #define end_screen (*windowprocs.win_end_screen)

diff --git a/src/cmd.c b/src/cmd.c
index 38f6b7ba099e61284e66cdb42f81ef400c83f9ae..8897856cc611d16f6ee98ad7ddfeb61e4b7ea595 100644 (file)
--- a/src/cmd.c
+++ b/src/cmd.c
@@ -2452,5 +2452,31 @@ wiz_port_debug()
 # endif /*PORT_DEBUG*/
 
 #endif /* OVL0 */
+#ifdef OVLB
+/*
+ *   Parameter validator for generic yes/no function to prevent
+ *   the core from sending too long a prompt string to the
+ *   window port causing a buffer overflow there.
+ */
+char
+yn_function(query,resp, def)
+const char *query,*resp;
+char def;
+{
+       char qbuf[QBUFSZ];
+       unsigned truncspot, reduction = sizeof(" [N]  ?") + 1;
+
+       if (resp) reduction += strlen(resp) + sizeof(" () ");
+       if (strlen(query) < (QBUFSZ - reduction))
+               return (*windowprocs.win_yn_function)(query, resp, def);
+       paniclog("Query truncated: ", query);
+       reduction += sizeof("...");
+       truncspot = QBUFSZ - reduction;
+       (void) strncpy(qbuf, query, truncspot);
+       qbuf[truncspot] = '\0';
+       Strcat(qbuf,"...");
+       return (*windowprocs.win_yn_function)(qbuf, resp, def);
+}
+#endif
 
 /*cmd.c*/