kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/games/quake2lnx/files/patch-security
Alejandro Pulver b706d52882 - Bump PORTREVISION. 
- Remove code from patch-security which was causing a "Bad challenge" error
  when connecting to password protected servers.
- Turn GAME option to "off" by default (a functional game.so is installed by
  games/quake2-data) as in other Quake II engine ports.

PR:		ports/111048
Submitted by:	alepulver (myself)
Approved by:	danfe (maintainer, timeout)
Reported by:	Kyle Hunter <keletmaster@gmail.com>
2007-04-08 04:15:47 +00:00

188 lines
5.3 KiB
Text
Raw Blame History

Index: client/cl_parse.c
===================================================================
RCS file: /cvs/cvsroot/quake2/src/client/cl_parse.c,v
retrieving revision 1.3
diff -u -r1.3 cl_parse.c
--- src/client/cl_parse.c 24 Sep 2004 22:06:52 -0000 1.3
+++ src/client/cl_parse.c 29 Jan 2005 20:57:01 -0000
@@ -397,6 +397,9 @@
strncpy(ci->cinfo, s, sizeof(ci->cinfo));
ci->cinfo[sizeof(ci->cinfo)-1] = 0;
+ // sku - avoid potentional buffer overflow vulnerability
+ s = ci->cinfo;
+
// isolate the player's name
strncpy(ci->name, s, sizeof(ci->name));
ci->name[sizeof(ci->name)-1] = 0;
@@ -528,6 +531,7 @@
int i;
char *s;
char olds[MAX_QPATH];
+ int length;
i = MSG_ReadShort (&net_message);
if (i < 0 || i >= MAX_CONFIGSTRINGS)
@@ -537,6 +541,12 @@
strncpy (olds, cl.configstrings[i], sizeof(olds));
olds[sizeof(olds) - 1] = 0;
+ // sku - avoid potentional buffer overflow vulnerability
+ length = strlen( s );
+ if( length > sizeof( cl.configstrings ) - sizeof( cl.configstrings[0] ) * i - 1 ) {
+ Com_Error( ERR_DROP, "CL_ParseConfigString: oversize configstring" );
+ }
+
strcpy (cl.configstrings[i], s);
// do something apropriate
Index: qcommon/cmd.c
===================================================================
RCS file: /cvs/cvsroot/quake2/src/qcommon/cmd.c,v
retrieving revision 1.2
diff -u -r1.2 cmd.c
--- src/qcommon/cmd.c 3 Jan 2002 05:10:14 -0000 1.2
+++ src/qcommon/cmd.c 29 Jan 2005 20:57:01 -0000
@@ -215,8 +215,11 @@
if (text[i] == '\n')
break;
}
-
-
+
+ // sku - removed potentional buffer overflow vulnerability
+ if( i > sizeof( line ) - 1 ) {
+ i = sizeof( line ) - 1;
+ }
memcpy (line, text, i);
line[i] = 0;
@@ -657,7 +660,8 @@
{
int l;
- strcpy (cmd_args, text);
+ // sku - removed potentional buffer overflow vulnerability
+ strncpy( cmd_args, text, sizeof( cmd_args ) );
// strip off any trailing whitespace
l = strlen(cmd_args) - 1;
Index: qcommon/common.c
===================================================================
RCS file: /cvs/cvsroot/quake2/src/qcommon/common.c,v
retrieving revision 1.4
diff -u -r1.4 common.c
--- src/qcommon/common.c 30 Mar 2002 22:48:36 -0000 1.4
+++ src/qcommon/common.c 29 Jan 2005 20:57:02 -0000
@@ -797,7 +797,9 @@
l = 0;
do
{
- c = MSG_ReadChar (msg_read);
+ // sku - replaced MSG_ReadChar with MSG_ReadByte to avoid
+ // potentional vulnerability
+ c = MSG_ReadByte (msg_read);
if (c == -1 || c == 0)
break;
string[l] = c;
@@ -817,7 +819,9 @@
l = 0;
do
{
- c = MSG_ReadChar (msg_read);
+ // sku - replaced MSG_ReadChar with MSG_ReadByte to avoid
+ // potentional vulnerability
+ c = MSG_ReadByte (msg_read);
if (c == -1 || c == 0 || c == '\n')
break;
string[l] = c;
Index: server/sv_main.c
===================================================================
RCS file: /cvs/cvsroot/quake2/src/server/sv_main.c,v
retrieving revision 1.2
diff -u -r1.2 sv_main.c
--- src/server/sv_main.c 22 Mar 2002 00:24:37 -0000 1.2
+++ src/server/sv_main.c 29 Jan 2005 20:57:03 -0000
@@ -293,8 +293,9 @@
challenge = atoi(Cmd_Argv(3));
- strncpy (userinfo, Cmd_Argv(4), sizeof(userinfo)-1);
- userinfo[sizeof(userinfo) - 1] = 0;
+ // sku - reserve 32 bytes for the IP address
+ strncpy (userinfo, Cmd_Argv(4), sizeof(userinfo)-32);
+ userinfo[sizeof(userinfo) - 32] = 0;
// force the IP key/value pair so the game can filter based on ip
Info_SetValueForKey (userinfo, "ip", NET_AdrToString(net_from));
@@ -342,6 +346,11 @@
&& ( cl->netchan.qport == qport
|| adr.port == cl->netchan.remote_address.port ) )
{
+ // sku - avoid reusing slot of the client already connected
+ if( cl->state != cs_zombie ) {
+ Netchan_OutOfBandPrint( NS_SERVER, adr, "print\nConnected client from this IP is already present.\n" );
+ return;
+ }
if (!NET_IsLocalAddress (adr) && (svs.realtime - cl->lastconnect) < ((int)sv_reconnect_limit->value * 1000))
{
Com_DPrintf ("%s:reconnect rejected : too soon\n", NET_AdrToString (adr));
Index: server/sv_user.c
===================================================================
RCS file: /cvs/cvsroot/quake2/src/server/sv_user.c,v
retrieving revision 1.2
diff -u -r1.2 sv_user.c
--- src/server/sv_user.c 21 Mar 2002 04:44:46 -0000 1.2
+++ src/server/sv_user.c 29 Jan 2005 20:57:04 -0000
@@ -142,6 +142,9 @@
}
start = atoi(Cmd_Argv(2));
+ if( start < 0 ) {
+ start = 0; // sku - catch negative offsets
+ }
// write a packet full of data
@@ -150,9 +153,18 @@
{
if (sv.configstrings[start][0])
{
+ int length;
+
+ // sku - write configstrings that exceed MAX_QPATH in proper-sized chunks
+ length = strlen( sv.configstrings[start] );
+ if( length > MAX_QPATH ) {
+ length = MAX_QPATH;
+ }
+
MSG_WriteByte (&sv_client->netchan.message, svc_configstring);
MSG_WriteShort (&sv_client->netchan.message, start);
- MSG_WriteString (&sv_client->netchan.message, sv.configstrings[start]);
+ SZ_Write (&sv_client->netchan.message, sv.configstrings[start], length);
+ MSG_WriteByte (&sv_client->netchan.message, 0);
}
start++;
}
@@ -199,6 +211,9 @@
}
start = atoi(Cmd_Argv(2));
+ if( start < 0 ) {
+ start = 0;
+ }
memset (&nullstate, 0, sizeof(nullstate));
@@ -398,7 +413,7 @@
*/
void SV_ShowServerinfo_f (void)
{
- Info_Print (Cvar_Serverinfo());
+// Info_Print (Cvar_Serverinfo());
}
Reference in a new issue View git blame Copy permalink