]> granicus.if.org Git - nethack/commitdiff
projects / nethack / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6c1d287)
nethack -s buffer overflow fix
authorcohrs <cohrs>
Mon, 10 Feb 2003 19:01:58 +0000 (19:01 +0000)
committercohrs <cohrs>
Mon, 10 Feb 2003 19:01:58 +0000 (19:01 +0000)
When printing invalid player names in -s mode, it was possible to overflow
the output buffer due to a missing buffer size check.  On shared Unix-like
systems with executable stacks, this could be used as a security exploit,
eg to obtain a shell running as user or group games.
While I was at it, removed a dead block of "#if 0" code

doc/fixes34.1 patch | blob | history
src/topten.c patch | blob | history

diff --git a/doc/fixes34.1 b/doc/fixes34.1
index 12ebc0e6670ce5e25056ad125fab877603b5b400..fef372d59bfbafd7d8c66c95b14d14c39d5b17e8 100644 (file)
--- a/doc/fixes34.1
+++ b/doc/fixes34.1
@@ -379,6 +379,7 @@ see_monsters() wasn't called when you lost the innate warning intrinsic due
 xorns sink if the drawbridge they're standing on is raised
 applying figurines to an adjacent spot over water does drowning checks
 fix sequencing of Magicbane's hit messages
+avoid buffer overflow from long or too many -s params
 
 
 Platform- and/or Interface-Specific Fixes
diff --git a/src/topten.c b/src/topten.c
index 08f80e96c24144d1ca76cfd7cae2b4aa4fbb60c9..afbdfd4b24d82e9cc76fa23a47a3ac70a9fde58b 100644 (file)
--- a/src/topten.c
+++ b/src/topten.c
@@ -788,14 +788,6 @@ char **argv;
        if (!argv[1][2]){       /* plain "-s" */
                argc--;
                argv++;
-#if 0 /* uses obsolete pl_classes[] */
-       } else if (!argv[1][3] && index(pl_classes, argv[1][2])) {
-               /* may get this case instead of next accidentally,
-                * but neither is listed in the documentation, so
-                * anything useful that happens is a bonus anyway */
-               argv[1]++;
-               argv[1][0] = '-';
-#endif
        } else  argv[1] += 2;
 
        if (argc > 1 && !strcmp(argv[1], "-v")) {
@@ -857,6 +849,12 @@ char **argv;
            else {
                if (playerct > 1) Strcat(pbuf, "any of ");
                for (i = 0; i < playerct; i++) {
+                   /* stop printing players if there are too many to fit */
+                   if (strlen(pbuf) + strlen(players[i]) + 2 >= BUFSZ) {
+                       if (strlen(pbuf) < BUFSZ-4) Strcat(pbuf, "...");
+                       else Strcpy(pbuf+strlen(pbuf)-4, "...");
+                       break;
+                   }
                    Strcat(pbuf, players[i]);
                    if (i < playerct-1) {
                        if (players[i][0] == '-' &&
Unnamed repository; edit this file 'description' to name the repository.