From bcb8884e6fb74b6d3e3c234caa8ffec7be005ecf Mon Sep 17 00:00:00 2001
From: Louis Burda <quent.burda@gmail.com>
Date: Wed, 19 May 2021 20:39:47 +0200
Subject: added permium users, second vuln and minor fixes all around

---
 service/src/util.c | 59 +++++++++++++++++++++++++++++++-----------------------
 1 file changed, 34 insertions(+), 25 deletions(-)

(limited to 'service/src/util.c')

diff --git a/service/src/util.c b/service/src/util.c
index bf6e872..31a2628 100644
--- a/service/src/util.c
+++ b/service/src/util.c
@@ -43,45 +43,52 @@ aprintf(const char *fmtstr, ...)
 }
 
 const char*
-mhash(const char *filename, int len)
+mhash(const char *str, int len)
 {
-	static const char *hexalph = "0123456789ABCDEF";
-	static char buf[2 * MHASHLEN + 1];
-	int i, k;
-
-	if (len == -1) len = strlen(filename);
-
-	for (i = 0; i < MIN(MHASHLEN, len); i++) {
-		unsigned char v = 0;
-		for (k = i; k < len; k += MHASHLEN)
-			v ^= filename[k];
-		buf[i*2+0] = hexalph[(v >> 4) & 0x0f];
-		buf[i*2+1] = hexalph[(v >> 0) & 0x0f];
-	}
+	static char buf[MHASHLEN + 1];
+	int i, k, v;
+	char c, *bp;
 
-	if (i == 0) {
-		memset(buf, '0', MHASHLEN);
-	} else if (i < MHASHLEN) {
-		for (k = 0; k < MHASHLEN; k++)
-			buf[k] = buf[k % i];
-	}
+	/* VULN #2: BUFFER OVERFLOW */
+	/* see documentation/README.md for more details */
+
+	if (len == -1) len = strlen(str) + 1;
 
-	buf[MHASHLEN] = '\0';
+	for (v = 0, i = 0; i < len; i++) v += str[i];
+	srand(v);
+
+	for (bp = buf, i = 0; i < MHASHLEN / 2; i++)
+		bp += sprintf(bp, "%02x", str[i % len] ^ (rand() % 256));
 
 	return buf;
 }
 
+int
+checkalph(const char *str, const char *alph)
+{
+	int i;
+
+	for (i = 0; i < strlen(str); i++)
+		if (!strchr(alph, str[i])) return 0;
+
+	return 1;
+}
+
 void
 freadstr(FILE *f, char **dst)
 {
-	size_t start, len;
+	size_t start, len, tmp;
+	char c;
+
+	/* VULN #1: BAD CAST */
+	/* see documentation/README.md for more details */
 
 	start = ftell(f);
-	for (len = 0; fgetc(f) > 0; len++);
+	for (len = 0; (c = fgetc(f)) != EOF && c; len++);
 	fseek(f, start, SEEK_SET);
 
 	*dst = checkp(calloc(1, len + 1));
-	fread(*dst, len, 1, f);
+	tmp = fread(*dst, len, 1, f);
 	fgetc(f);
 }
 
@@ -111,6 +118,8 @@ ask(const char *fmtstr, ...)
 		if (echo) printf("%s\n", linebuf);
 	}
 
+	if (fail) errno = EBADMSG;
+
 	return fail ? "" : linebuf;
 }
 
@@ -123,7 +132,7 @@ dump(const char *filename)
 
 	if (!(f = fopen(filename, "r"))) return;
 
-	while ((nb = fread(buf, 1, sizeof(buf), f)))
+	while ((nb = fread(buf, 1, sizeof(buf) - 1, f)))
 		printf("%.*s\n", nb, buf);
 
 	fclose(f);
-- 
cgit v1.2.3-71-gd317