On Sat, Feb 08, 2003 at 11:18:49PM -0800, tsao_4sh0 (at) hushmail (dot) com [email concealed] wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> ###################################################
>
> /usr/games/lib/nethackdir/nethack - LOCALLY EXPLOITABLE BUFFER
>
> try th1s: nethack -s `perl -e "print 'A' x 1000"`
Here is a bandaid that I just committed to the FreeBSD Ports Collection
and also submitted to the NetHack developers. I say 'bandaid', because
there might be a lot of other strcat() weirdnesses in the NetHack source
:(
The patch is also available at
http://people.FreeBSD.org/~roam/devel/nethack/topten.c.patch
G'luck,
Peter
--
Peter Pentchev roam (at) ringlet (dot) net [email concealed] roam (at) FreeBSD (dot) org [email concealed]
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
I've heard that this sentence is a rumor.
--- src/topten.c Thu Mar 21 01:43:19 2002
+++ src/topten.c Tue Feb 11 15:36:23 2003
@@ -855,8 +855,15 @@
if (playerct < 1) Strcat(pbuf, "you.");
else {
if (playerct > 1) Strcat(pbuf, "any of ");
- for (i = 0; i < playerct; i++) {
- Strcat(pbuf, players[i]);
+ for (i = 0; i < playerct && strlen(pbuf) < sizeof(pbuf) - 2;
+ i++) {
+ size_t len = strlen(pbuf), rest;
+ if (strlen(players[i]) > sizeof(pbuf) - len - 2) {
+ rest = sizeof(pbuf) - strlen(pbuf) - 2;
+ memcpy(pbuf + len, players[i], rest);
+ pbuf[len + rest] = '\0';
+ } else
+ Strcat(pbuf, players[i]);
if (i < playerct-1) {
if (players[i][0] == '-' &&
index("pr", players[i][1]) && players[i][2] == 0)
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> ###################################################
>
> /usr/games/lib/nethackdir/nethack - LOCALLY EXPLOITABLE BUFFER
>
> try th1s: nethack -s `perl -e "print 'A' x 1000"`
Here is a bandaid that I just committed to the FreeBSD Ports Collection
and also submitted to the NetHack developers. I say 'bandaid', because
there might be a lot of other strcat() weirdnesses in the NetHack source
:(
The patch is also available at
http://people.FreeBSD.org/~roam/devel/nethack/topten.c.patch
G'luck,
Peter
--
Peter Pentchev roam (at) ringlet (dot) net [email concealed] roam (at) FreeBSD (dot) org [email concealed]
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
I've heard that this sentence is a rumor.
--- src/topten.c Thu Mar 21 01:43:19 2002
+++ src/topten.c Tue Feb 11 15:36:23 2003
@@ -855,8 +855,15 @@
if (playerct < 1) Strcat(pbuf, "you.");
else {
if (playerct > 1) Strcat(pbuf, "any of ");
- for (i = 0; i < playerct; i++) {
- Strcat(pbuf, players[i]);
+ for (i = 0; i < playerct && strlen(pbuf) < sizeof(pbuf) - 2;
+ i++) {
+ size_t len = strlen(pbuf), rest;
+ if (strlen(players[i]) > sizeof(pbuf) - len - 2) {
+ rest = sizeof(pbuf) - strlen(pbuf) - 2;
+ memcpy(pbuf + len, players[i], rest);
+ pbuf[len + rest] = '\0';
+ } else
+ Strcat(pbuf, players[i]);
if (i < playerct-1) {
if (players[i][0] == '-' &&
index("pr", players[i][1]) && players[i][2] == 0)
[ reply ]