Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix two serious string-handling bugs (one exploitable, one probably 

exploitable) and also add proper checking/paranoia in several other
places.
This commit is contained in:
dholland 2009-06-29 23:05:33 +00:00
parent f7384c4a6a
commit 165c915b22
7 changed files with 49 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
games/hack/hack.do_name.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: hack.do_name.c,v 1.9 2009/06/07 20:13:18 dholland Exp $ */
/* $NetBSD: hack.do_name.c,v 1.10 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: hack.do_name.c,v 1.9 2009/06/07 20:13:18 dholland Exp $");
__RCSID("$NetBSD: hack.do_name.c,v 1.10 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
#include <stdlib.h>
@ -279,7 +279,7 @@ xmonnam(struct monst *mtmp, int vb)
gn = ghostnames[rn2(SIZE(ghostnames))];
if (!rn2(2))
(void)
strcpy((char *) mtmp->mextra, !rn2(5) ? plname : gn);
strlcpy((char *) mtmp->mextra, !rn2(5) ? plname : gn, mtmp->mxlth);
}
(void) snprintf(buf, sizeof(buf), "%s's ghost", gn);
}

4
games/hack/hack.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: hack.h,v 1.12 2009/06/07 21:04:54 dholland Exp $ */
/* $NetBSD: hack.h,v 1.13 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@ -202,7 +202,7 @@ extern const char *const traps[];
extern char SAVEF[];
extern char fut_geno[60]; /* idem */
extern char genocided[60]; /* defined in Decl.c */
extern char lock[];
extern char lock[PL_NSIZ + 4];
extern const char mlarge[];
extern char morc;
extern const char nul[];

17
games/hack/hack.invent.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: hack.invent.c,v 1.12 2009/06/07 20:13:18 dholland Exp $ */
/* $NetBSD: hack.invent.c,v 1.13 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@ -63,9 +63,10 @@
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: hack.invent.c,v 1.12 2009/06/07 20:13:18 dholland Exp $");
__RCSID("$NetBSD: hack.invent.c,v 1.13 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
#include <assert.h>
#include <stdlib.h>
#include "hack.h"
#include "extern.h"
@ -555,7 +556,7 @@ ggetobj(const char *word, int (*fn)(struct obj *), int max)
char buf[BUFSZ];
char *ip;
char sym;
int oletct = 0, iletct = 0;
unsigned oletct = 0, iletct = 0;
boolean allflag = FALSE;
char olets[20], ilets[20];
int (*ckfn)(struct obj *) =
@ -586,6 +587,7 @@ ggetobj(const char *word, int (*fn)(struct obj *), int max)
if (invent)
ilets[iletct++] = 'a';
ilets[iletct] = 0;
assert(iletct < sizeof(ilets));
}
pline("What kinds of thing do you want to %s? [%s] ",
word, ilets);
@ -614,6 +616,7 @@ ggetobj(const char *word, int (*fn)(struct obj *), int max)
olets[oletct++] = sym;
olets[oletct] = 0;
}
assert(oletct < sizeof(olets));
} else
pline("You don't have any %c's.", sym);
}
@ -723,7 +726,7 @@ doinv(char *lets)
{
struct obj *otmp;
char ilet;
int ct = 0;
unsigned ct = 0;
char any[BUFSZ];
morc = 0; /* just to be sure */
@ -746,6 +749,7 @@ doinv(char *lets)
ilet = 'A';
}
any[ct] = 0;
assert(ct < sizeof(any));
cornline(2, any);
}
@ -755,7 +759,7 @@ dotypeinv(void)
/* Changed to one type only, so he doesnt have to type cr */
char c, ilet;
char stuff[BUFSZ];
int stct;
unsigned stct;
struct obj *otmp;
boolean billx = inshop() && doinvbill(0);
boolean unpd = FALSE;
@ -781,6 +785,7 @@ dotypeinv(void)
if (billx)
stuff[stct++] = 'x';
stuff[stct] = 0;
assert(stct < sizeof(stuff));
if (stct > 1) {
pline("What type of object [%s] do you want an inventory of? ",
@ -817,6 +822,8 @@ dotypeinv(void)
ilet = 'A';
}
stuff[stct] = '\0';
assert(stct < sizeof(stuff));
if (stct == 0)
pline("You have no such objects.");
else

17
games/hack/hack.main.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: hack.main.c,v 1.12 2009/06/07 20:13:18 dholland Exp $ */
/* $NetBSD: hack.main.c,v 1.13 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: hack.main.c,v 1.12 2009/06/07 20:13:18 dholland Exp $");
__RCSID("$NetBSD: hack.main.c,v 1.13 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
#include <signal.h>
@ -300,7 +300,8 @@ main(int argc, char *argv[])
}
*gp = 0;
} else
(void) strcpy(genocided, sfoo);
(void) strlcpy(genocided, sfoo,
sizeof(genocided));
(void) strcpy(fut_geno, genocided);
}
}
@ -478,12 +479,12 @@ void
glo(int foo)
{
/* construct the string xlock.n */
char *tf;
size_t pos;
tf = lock;
while (*tf && *tf != '.')
tf++;
(void) sprintf(tf, ".%d", foo);
pos = 0;
while (lock[pos] && lock[pos] != '.')
pos++;
(void) snprintf(lock + pos, sizeof(lock) - pos, ".%d", foo);
}
/*

6
games/hack/hack.rip.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: hack.rip.c,v 1.10 2009/06/07 20:13:18 dholland Exp $ */
/* $NetBSD: hack.rip.c,v 1.11 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: hack.rip.c,v 1.10 2009/06/07 20:13:18 dholland Exp $");
__RCSID("$NetBSD: hack.rip.c,v 1.11 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
#include "hack.h"
@ -101,7 +101,7 @@ outrip(void)
!strcmp(killer, "starvation") ? "" :
strchr(vowels, *killer) ? " an" : " a");
center(8, buf);
(void) strcpy(buf, killer);
(void) strlcpy(buf, killer, sizeof(buf));
{
int i1;
if ((i1 = strlen(buf)) > 16) {

20
games/hack/hack.topl.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: hack.topl.c,v 1.10 2009/06/07 20:13:18 dholland Exp $ */
/* $NetBSD: hack.topl.c,v 1.11 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: hack.topl.c,v 1.10 2009/06/07 20:13:18 dholland Exp $");
__RCSID("$NetBSD: hack.topl.c,v 1.11 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
#include <stdlib.h>
@ -212,7 +212,7 @@ vpline(const char *line, va_list ap)
{
char pbuf[BUFSZ];
char *bp = pbuf, *tl;
int n, n0;
int n, n0, tlpos, dead;
if (!line || !*line)
return;
@ -240,8 +240,9 @@ vpline(const char *line, va_list ap)
if (flags.toplin == 1)
more();
remember_topl();
dead = 0;
toplines[0] = 0;
while (n0) {
while (n0 && !dead) {
if (n0 >= CO) {
/* look for appropriate cut point */
n0 = 0;
@ -255,7 +256,14 @@ vpline(const char *line, va_list ap)
if (!n0)
n0 = CO - 2;
}
(void) strncpy((tl = eos(toplines)), bp, n0);
tlpos = strlen(toplines);
tl = toplines + tlpos;
/* avoid overflow */
if (tlpos + n0 > (int)sizeof(toplines) - 1) {
n0 = sizeof(toplines) - 1 - tlpos;
dead = 1;
}
(void) memcpy(tl, bp, n0);
tl[n0] = 0;
bp += n0;
@ -265,7 +273,7 @@ vpline(const char *line, va_list ap)
n0 = strlen(bp);
if (n0 && tl[0])
(void) strcat(tl, "\n");
(void) strlcat(toplines, "\n", sizeof(toplines));
}
redotoplin();
}

12
games/hack/hack.unix.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: hack.unix.c,v 1.12 2009/06/07 20:13:18 dholland Exp $ */
/* $NetBSD: hack.unix.c,v 1.13 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
__RCSID("$NetBSD: hack.unix.c,v 1.12 2009/06/07 20:13:18 dholland Exp $");
__RCSID("$NetBSD: hack.unix.c,v 1.13 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
/* This file collects some Unix dependencies; hack.pager.c contains some more */
@ -192,11 +192,11 @@ gethdate(char *name)
if ((np = strchr(path, ':')) == NULL)
np = path + strlen(path); /* point to end str */
if (np - path <= 1) /* %% */
(void) strcpy(filename, name);
(void) strlcpy(filename, name, sizeof(filename));
else {
(void) strncpy(filename, path, np - path);
filename[np - path] = '/';
(void) strcpy(filename + (np - path) + 1, name);
(void) snprintf(filename, sizeof(filename),
"%.*s/%s",
(int)(np - path), path, name);
}
if (stat(filename, &hbuf) == 0)
return;