From fb584f7676a14bc3889f48bdc4b95af3e84f1f37 Mon Sep 17 00:00:00 2001
From: sin <sin@2f30.org>
Date: Tue, 7 Oct 2014 01:43:17 +0100
Subject: Fix possible stack corruption when parsing friend IDs

---
 ratox.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

(limited to 'ratox.c')

diff --git a/ratox.c b/ratox.c
index f39465d..9ad1566 100644
--- a/ratox.c
+++ b/ratox.c
@@ -1446,17 +1446,26 @@ sendfriendreq(void *data)
 		return;
 	buf[n] = '\0';
 
-	for (p = buf; *p && isspace(*p) == 0; p++)
+	/* locate start of msg */
+	for (p = buf; *p && !isspace(*p); p++)
 		;
-	if (*p != '\0') {
-		*p = '\0';
-		while (isspace(*p++) != 0)
-			;
-		if (*p != '\0')
-			msg = p;
+	if (*p == '\0')
+		goto out; /* no msg */
+	*p++ = '\0';
+	if (*p == '\0') {
+		goto out; /* no msg */
+	} else {
+		msg = p;
 		if (msg[strlen(msg) - 1] == '\n')
 			msg[strlen(msg) - 1] = '\0';
 	}
+out:
+	if (strlen(buf) != sizeof(id) * 2) {
+		ftruncate(gslots[REQUEST].fd[ERR], 0);
+		lseek(gslots[REQUEST].fd[ERR], 0, SEEK_SET);
+		dprintf(gslots[REQUEST].fd[ERR], "Invalid friend ID\n");
+		return;
+	}
 	str2id(buf, id);
 
 	r = tox_add_friend(tox, id, (uint8_t *)buf, strlen(buf));
-- 
cgit v1.2.3