1. Forum
  2. DOVE-Net
  3. Synchronet Programming

  • src/syncterm/ripper.c

    From Deuc¿@VERT to Git commit to main/sbbs/master on Sun Feb 22 11:38:19 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/f73b6e394587333ffd76521c
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Parse RIP_NO_MORE in RIP_STATE_PIPE, not RIP_STATE_CMD

    This will likely screw up on !|0#, but hopefully nobody has ever done
    that.

    Fixes ticket 218

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Mon Feb 23 16:17:52 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/27e6a20fa2b8661b46668d88
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Fix new potential RIP crash

    Would potentially use a negative length after a |#

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net
  • From Deuc¿@VERT to Git commit to main/sbbs/master on Sun Mar 15 01:06:05 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/bb2238f684befe43deb34cea
    Modified Files:
    src/syncterm/ripper.c
    Log Message:
    Fix heap buffer overflows in ripper.c RIPscrip command handling

    Four strcat() calls append RIPscrip arguments (from the remote server)
    to cache_path[MAX_PATH+1] without checking whether the result fits.
    The path-traversal guards reject "..", "/", and "\" but do not limit
    length. A long filename from a malicious RIPscrip server overflows
    the buffer.

    Changed to strlcat(cache_path, ..., sizeof(cache_path)) at all four
    sites: file-query (&args[6]), icon-load (&args[9] + ".ICN"), and
    icon-save (&args[1]). The existing SkyPix download path already had
    a strlen() guard and was not affected.

    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net