https://gitlab.synchro.net/main/sbbs/-/commit/e5ddda76d568b467f45c1ee2
Modified Files:
src/sbbs3/postmsg.cpp
Log Message:
postmsg: fix segfault in savemsg/votemsg for ad-hoc (is_path) MsgBases
savemsg() and votemsg() both unconditionally dereferenced
cfg->sub[smb->subnum] when posting the "MsgPostedToYou" / vote
notification text Ä gated only by the subnum != INVALID_SUB check, not
by subnum_is_valid(). For an "is_path" MsgBase (created from JS as
"new MsgBase(path, true)"), js_msgbase_constructor sets
smb.subnum = scfg->total_subs (intentionally not INVALID_SUB so it
isn't treated as the mail base), which is one past the end of the
cfg->sub[] array. The deref was a guaranteed segfault whenever a
to_ext-tagged message was saved/voted on into such a base.
Reproducer (against any Synchronet install, via jsexec):
var p = system.temp_dir + "tmp_" + Date.now();
var mb = new MsgBase(p, true); mb.open();
mb.save_msg({to:"x", to_ext:"1", from:"y", subject:"z"}, "body");
// -> SIGSEGV inside savemsg, after smb_addmsg() succeeds
The crashing path: msg has to_ext set and resolves to a real local
user (usernum > 0); subnum != INVALID_SUB so the else-branch fires;
that branch formats cfg->text[MsgPostedToYouVia] using cfg->grp[cfg->sub[subnum]->grp]->sname and cfg->sub[subnum]->lname.
With subnum == total_subs both reads are out of bounds.
Fix: gate the else branch in savemsg on subnum_is_valid(), and add the
same guard to the entire vote-notification block in votemsg. When the
sub isn't a known sub-board (is_path / ad-hoc msgbase), skip the local
"you have a message" putsmsg notification Ä there's no sub/grp metadata
to format the standard text against, and the JS caller didn't ask for
sub-board side effects.
The unguarded deref itself dates back further, but it became reachable
when commit 93b4d946c ("Security improvements to MsgBase and FileBase constructors") added the "is_path=true" constructor option that sets
subnum = total_subs.
---
þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net