• Bug: usage-of-uninitialized value

    From Andrew Bao@1:103/705 to GitLab note in main/sbbs on Sun Oct 17 12:59:24 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/276#note_2122

    Hi Rob, Sorry for the late reply. This issue is scanned by a static analysis scanner. Since in function scansubs(), it initializes str[256]="". Thus, in function scanallsub(), str[256] is better to initialize when it gets allocated.According to my analysis of the code, str[256] only gets initialized if SCAN_FIND mode is set. However, when str gets used in scanposts(), scanallsub() doesn't check what mode it is. At least, str will be somehow in the uninitialized stage if it is not initialized by getstr(). In scanposts, find parameter not only use in:safe_snprintf(cmdline, sizeof(cmdline), "%s %s %ld %s", cfg.scanposts_mod, cfg.sub[subnum]->code, mode, find);but also use in: if(strcasestr(buf,find) == NULL && strcasestr(msg.subj, find) == NULL && (msg.tags == NULL || strcasestr(msg.tags, find) == NULL)) {to determine if condition.
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Andrew Bao@1:103/705 to GitLab issue in main/sbbs on Sun Oct 17 12:59:24 2021
    reopen https://gitlab.synchro.net/main/sbbs/-/issues/276

    A new bug is found.It is in src/sbbs3/scansubs.cpp```void sbbs_t::scanallsubs(long mode){ char str[256]; char tmp[512];..... for(i=0; i<total_subs && !msgabort(); i++) { if(mode&SCAN_POLLS) progress(text[Scanning], i, total_subs, 10); if(scanposts(sub[i],mode,str)) break; }```In function sbbs_t::scanallsubs,array str is not initialized in the first place. It may be initialized inside an if branch by getstr(). However, it may not be initialized in other branch and be directly use by scanposts(). Then str will be write into cmdline by function safe_snprintf in scanposts():`safe_snprintf(cmdline, sizeof(cmdline), "%s %s %ld %s", cfg.scanposts_mod, cfg.sub[subnum]->code, mode, find);`which may cause arbitrary code execution somehow(I am not sure, but it is definitely uninitialized value use)Thank you for the review. I also reported this bug to CVE
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab note in main/sbbs on Sun Oct 17 18:31:34 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/276#note_2123

    What static analysis scanner? Can you share those analysis results?
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab note in main/sbbs on Sun Oct 17 18:33:22 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/276#note_2124

    I'm not clear why you reopened this issue. I thought it was addressed with https://gitlab.synchro.net/main/sbbs/-/commit/ff7c73d863508d22c0a224eb3e460082af3b7fa9
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab note in main/sbbs on Thu Feb 24 00:22:50 2022
    https://gitlab.synchro.net/main/sbbs/-/issues/276#note_2312

    This issue has been resolved.
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab issue in main/sbbs on Thu Feb 24 00:22:50 2022
    close https://gitlab.synchro.net/main/sbbs/-/issues/276
    --- SBBSecho 3.14-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)