Skip to content
Permalink
Browse files Browse the repository at this point in the history
Set length modifiers for group and desc
nntp_add_group parses a line controlled by the connected nntp server.
Restrict the maximum lengths read into the stack buffers group, and
desc.
  • Loading branch information
jeriko-one authored and flatcap committed Jul 4, 2018
1 parent 737c177 commit 6296f71
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions newsrc.c
Expand Up @@ -592,16 +592,20 @@ int nntp_add_group(char *line, void *data)
{
struct NntpServer *nserv = data;
struct NntpData *nntp_data = NULL;
char group[LONG_STRING];
char group[LONG_STRING] = "";
char desc[HUGE_STRING] = "";
char mod;
anum_t first, last;

if (!nserv || !line)
return 0;

if (sscanf(line, "%s " ANUM " " ANUM " %c %[^\n]", group, &last, &first, &mod, desc) < 4)
/* These sscanf limits must match the sizes of the group and desc arrays */
if (sscanf(line, "%1023s " ANUM " " ANUM " %c %8191[^\n]", group, &last, &first, &mod, desc) < 4)
{
mutt_debug(4, "Cannot parse server line: %s\n", line);
return 0;
}

nntp_data = nntp_data_find(nserv, group);
nntp_data->deleted = false;
Expand Down

0 comments on commit 6296f71

Please sign in to comment.