https://gitlab.synchro.net/main/sbbs/-/issues/276#note_2122
Hi Rob, Sorry for the late reply. This issue is scanned by a static analysis scanner. Since in function scansubs(), it initializes str[256]="". Thus, in function scanallsub(), str[256] is better to initialize when it gets allocated.According to my analysis of the code, str[256] only gets initialized if SCAN_FIND mode is set. However, when str gets used in scanposts(), scanallsub() doesn't check what mode it is. At least, str will be somehow in the uninitialized stage if it is not initialized by getstr(). In scanposts, find parameter not only use in:safe_snprintf(cmdline, sizeof(cmdline), "%s %s %ld %s", cfg.scanposts_mod, cfg.sub[subnum]->code, mode, find);but also use in: if(strcasestr(buf,find) == NULL && strcasestr(msg.subj, find) == NULL && (msg.tags == NULL || strcasestr(msg.tags, find) == NULL)) {to determine if condition.
--- SBBSecho 3.14-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)