1. Forum
  2. FidoNet Int
  3. sync programming

  • src/syncterm/term.c

    From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 01:06:05 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/d5e37e7999b5adf959d31e60
    Modified Files:
    src/syncterm/term.c
    Log Message:
    Fix buffer overflows and missing NULL checks in term.c

    apc_handler(): two strcat(fn, p) calls append data from APC escape
    sequences (received from the remote BBS) into fn[MAX_PATH+1] without
    length checks. Changed to strlcat(fn, p, sizeof(fn)).

    mousedrag(): sbufsize was declared int but holds
    width * sizeof(vmem_cell) * height, which is assigned to malloc().
    On very large terminal dimensions the int multiplication can wrap,
    causing an undersized allocation. Changed sbufsize to size_t with
    an explicit (size_t) cast on the first operand. Also added a NULL
    check on the three malloc() calls — previously a failed allocation
    would be passed straight to vmem_gettext()/gettext() and crash.

    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 01:06:05 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/95e02a29689ac912ba72c058
    Modified Files:
    src/syncterm/term.c
    Log Message:
    Fix NULL deref, buffer overflow, and over-allocation in term.c

    NULL deref in cet_telesoftware_try_get_block() (line 1269): malloc()
    result dereferenced without NULL check. The caller already handles a
    NULL return via retry loop.

    strncat overflow in apc_handler() (line 4352): The SyncTERM:C;S APC
    handler appended a network-controlled filename to fn[MAX_PATH+1]
    using strncat, whose third argument limits source bytes, not
    destination space. A malicious server sending a long filename in the
    APC sequence overflows the stack buffer. Replace with strlcat bounded
    by sizeof(fn).

    b64_decode_alloc() over-allocation (line 3538): Operator precedence
    bug: "slen * 3 + 3 / 4 + 1" computes slen*3+0+1 (since 3/4 is 0 in
    integer division) instead of the intended base64 size. This wastes 4x
    memory on 64-bit and can wrap size_t on 32-bit. Fix to the standard
    formula (slen+3)/4*3+1.

    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Deucе@1:103/705 to Git commit to main/sbbs/master on Sun Mar 15 19:01:12 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/fe6b7aceafcd4768736620c7
    Modified Files:
    src/syncterm/term.c
    Log Message:
    Fix truncated conn_send() lengths for keyboard escape sequences

    43 conn_send() calls were passing incorrect buffer lengths, causing
    truncated escape sequences to be sent to the remote host:

    - Delete key (non-DECBKM): sent 1 byte of "\x1b[3~" instead of 4
    - F1-F5: sent 3 bytes of 5-byte sequences (e.g. "\033[11~")
    - Shift+F1-F5, Ctrl+F1-F5, Alt+F1-F5: sent 3 bytes of 7-byte
    sequences (e.g. "\033[11;2~")
    - Shift+F6-F12, Ctrl+F6-F12, Alt+F6-F12: sent 5 bytes of 7-byte
    sequences (e.g. "\033[17;2~")

    The lengths appear to have been copy-pasted from the 3-byte arrow key
    sequences without being updated for the longer function key strings.

    Unmodified F6-F12 (5-byte) and arrow/nav keys (3-byte) were already
    correct.

    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
    --- SBBSecho 3.37-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)