freebsd-ports/games/quake2-source/files/patch-security

Index: client/cl_parse.c
===================================================================
RCS file: /cvs/cvsroot/quake2/src/client/cl_parse.c,v
retrieving revision 1.3
diff -u -r1.3 cl_parse.c
--- src/client/cl_parse.c	24 Sep 2004 22:06:52 -0000	1.3
+++ src/client/cl_parse.c	29 Jan 2005 20:57:01 -0000
@@ -397,6 +397,9 @@
 	strncpy(ci->cinfo, s, sizeof(ci->cinfo));
 	ci->cinfo[sizeof(ci->cinfo)-1] = 0;
 
+	// sku - avoid potentional buffer overflow vulnerability
+	s = ci->cinfo;
+
 	// isolate the player's name
 	strncpy(ci->name, s, sizeof(ci->name));
 	ci->name[sizeof(ci->name)-1] = 0;
@@ -528,6 +531,7 @@
 	int		i;
 	char	*s;
 	char	olds[MAX_QPATH];
+	int		length;
 
 	i = MSG_ReadShort (&net_message);
 	if (i < 0 || i >= MAX_CONFIGSTRINGS)
@@ -537,6 +541,12 @@
 	strncpy (olds, cl.configstrings[i], sizeof(olds));
 	olds[sizeof(olds) - 1] = 0;
 
+	// sku - avoid potentional buffer overflow vulnerability
+	length = strlen( s );
+	if( length > sizeof( cl.configstrings ) - sizeof( cl.configstrings[0] ) * i - 1 ) {
+		Com_Error( ERR_DROP, "CL_ParseConfigString: oversize configstring" );
+	}
+
 	strcpy (cl.configstrings[i], s);
 
 	// do something apropriate 
Index: qcommon/cmd.c
===================================================================
RCS file: /cvs/cvsroot/quake2/src/qcommon/cmd.c,v
retrieving revision 1.2
diff -u -r1.2 cmd.c
--- src/qcommon/cmd.c	3 Jan 2002 05:10:14 -0000	1.2
+++ src/qcommon/cmd.c	29 Jan 2005 20:57:01 -0000
@@ -215,8 +215,11 @@
 			if (text[i] == '\n')
 				break;
 		}
-			
-				
+		
+		// sku - removed potentional buffer overflow vulnerability
+		if( i > sizeof( line ) - 1 ) {
+			i = sizeof( line ) - 1;
+		}
 		memcpy (line, text, i);
 		line[i] = 0;
 		
@@ -657,7 +660,8 @@
 		{
 			int		l;
 
-			strcpy (cmd_args, text);
+			// sku - removed potentional buffer overflow vulnerability
+			strncpy( cmd_args, text, sizeof( cmd_args ) );
 
 			// strip off any trailing whitespace
 			l = strlen(cmd_args) - 1;
Index: qcommon/common.c
===================================================================
RCS file: /cvs/cvsroot/quake2/src/qcommon/common.c,v
retrieving revision 1.4
diff -u -r1.4 common.c
--- src/qcommon/common.c	30 Mar 2002 22:48:36 -0000	1.4
+++ src/qcommon/common.c	29 Jan 2005 20:57:02 -0000
@@ -797,7 +797,9 @@
 	l = 0;
 	do
 	{
-		c = MSG_ReadChar (msg_read);
+		// sku - replaced MSG_ReadChar with MSG_ReadByte to avoid
+		// potentional vulnerability
+		c = MSG_ReadByte (msg_read);
 		if (c == -1 || c == 0)
 			break;
 		string[l] = c;
@@ -817,7 +819,9 @@
 	l = 0;
 	do
 	{
-		c = MSG_ReadChar (msg_read);
+		// sku - replaced MSG_ReadChar with MSG_ReadByte to avoid
+		// potentional vulnerability
+		c = MSG_ReadByte (msg_read);
 		if (c == -1 || c == 0 || c == '\n')
 			break;
 		string[l] = c;
Index: server/sv_main.c
===================================================================
RCS file: /cvs/cvsroot/quake2/src/server/sv_main.c,v
retrieving revision 1.2
diff -u -r1.2 sv_main.c
--- src/server/sv_main.c	22 Mar 2002 00:24:37 -0000	1.2
+++ src/server/sv_main.c	29 Jan 2005 20:57:03 -0000
@@ -293,8 +293,9 @@
 
 	challenge = atoi(Cmd_Argv(3));
 
-	strncpy (userinfo, Cmd_Argv(4), sizeof(userinfo)-1);
-	userinfo[sizeof(userinfo) - 1] = 0;
+	// sku - reserve 32 bytes for the IP address
+	strncpy (userinfo, Cmd_Argv(4), sizeof(userinfo)-32);
+	userinfo[sizeof(userinfo) - 32] = 0;
 
 	// force the IP key/value pair so the game can filter based on ip
 	Info_SetValueForKey (userinfo, "ip", NET_AdrToString(net_from));
@@ -317,8 +318,11 @@
 		{
 			if (NET_CompareBaseAdr (net_from, svs.challenges[i].adr))
 			{
-				if (challenge == svs.challenges[i].challenge)
+				// sku - ignore zero challenges
+				if( svs.challenges[i].challenge && challenge == svs.challenges[i].challenge ) {
+					svs.challenges[i].challenge = 0;
 					break;		// good
+				}
 				Netchan_OutOfBandPrint (NS_SERVER, adr, "print\nBad challenge.\n");
 				return;
 			}
@@ -342,6 +346,11 @@
 			&& ( cl->netchan.qport == qport 
 			|| adr.port == cl->netchan.remote_address.port ) )
 		{
+			// sku - avoid reusing slot of the client already connected
+			if( cl->state != cs_zombie ) {
+				Netchan_OutOfBandPrint( NS_SERVER, adr, "print\nConnected client from this IP is already present.\n" );
+				return;
+			}
 			if (!NET_IsLocalAddress (adr) && (svs.realtime - cl->lastconnect) < ((int)sv_reconnect_limit->value * 1000))
 			{
 				Com_DPrintf ("%s:reconnect rejected : too soon\n", NET_AdrToString (adr));
Index: server/sv_user.c
===================================================================
RCS file: /cvs/cvsroot/quake2/src/server/sv_user.c,v
retrieving revision 1.2
diff -u -r1.2 sv_user.c
--- src/server/sv_user.c	21 Mar 2002 04:44:46 -0000	1.2
+++ src/server/sv_user.c	29 Jan 2005 20:57:04 -0000
@@ -142,6 +142,9 @@
 	}
 	
 	start = atoi(Cmd_Argv(2));
+	if( start < 0 ) {
+		start = 0;	// sku - catch negative offsets
+	}
 
 	// write a packet full of data
 
@@ -150,9 +153,18 @@
 	{
 		if (sv.configstrings[start][0])
 		{
+			int length;
+
+			// sku - write configstrings that exceed MAX_QPATH in proper-sized chunks
+			length = strlen( sv.configstrings[start] );
+			if( length > MAX_QPATH ) {
+				length = MAX_QPATH;
+			}
+
 			MSG_WriteByte (&sv_client->netchan.message, svc_configstring);
 			MSG_WriteShort (&sv_client->netchan.message, start);
-			MSG_WriteString (&sv_client->netchan.message, sv.configstrings[start]);
+			SZ_Write (&sv_client->netchan.message, sv.configstrings[start], length);
+			MSG_WriteByte (&sv_client->netchan.message, 0);
 		}
 		start++;
 	}
@@ -199,6 +211,9 @@
 	}
 	
 	start = atoi(Cmd_Argv(2));
+	if( start < 0 ) {
+		start = 0;
+	}
 
 	memset (&nullstate, 0, sizeof(nullstate));
 
@@ -398,7 +413,7 @@
 */
 void SV_ShowServerinfo_f (void)
 {
-	Info_Print (Cvar_Serverinfo());
+//	Info_Print (Cvar_Serverinfo());
 }