Skip to content

Commit 6296f71

Browse files
jeriko-oneflatcap
authored andcommitted
Set length modifiers for group and desc
nntp_add_group parses a line controlled by the connected nntp server. Restrict the maximum lengths read into the stack buffers group, and desc.
1 parent 737c177 commit 6296f71

File tree

1 file changed

+6
-2
lines changed

1 file changed

+6
-2
lines changed

Diff for: newsrc.c

+6-2
Original file line numberDiff line numberDiff line change
@@ -592,16 +592,20 @@ int nntp_add_group(char *line, void *data)
592592
{
593593
struct NntpServer *nserv = data;
594594
struct NntpData *nntp_data = NULL;
595-
char group[LONG_STRING];
595+
char group[LONG_STRING] = "";
596596
char desc[HUGE_STRING] = "";
597597
char mod;
598598
anum_t first, last;
599599

600600
if (!nserv || !line)
601601
return 0;
602602

603-
if (sscanf(line, "%s " ANUM " " ANUM " %c %[^\n]", group, &last, &first, &mod, desc) < 4)
603+
/* These sscanf limits must match the sizes of the group and desc arrays */
604+
if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last, &first, &mod, desc) < 4)
605+
{
606+
mutt_debug(4, "Cannot parse server line: %s\n", line);
604607
return 0;
608+
}
605609

606610
nntp_data = nntp_data_find(nserv, group);
607611
nntp_data->deleted = false;

0 commit comments

Comments
 (0)