(svn r2899) -Fix: Several format string vulnerabilities and buffer overflows in the network code
This commit is contained in:
tron
@@ -1132,7 +1132,7 @@ DEF_CONSOLE_HOOK(ConProcPlayerName)
|
|||||||
SEND_COMMAND(PACKET_CLIENT_SET_NAME)(_network_player_name);
|
SEND_COMMAND(PACKET_CLIENT_SET_NAME)(_network_player_name);
|
||||||
} else {
|
} else {
|
||||||
if (NetworkFindName(_network_player_name)) {
|
if (NetworkFindName(_network_player_name)) {
|
||||||
NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, _network_player_name);
|
NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, "%s", _network_player_name);
|
||||||
ttd_strlcpy(ci->client_name, _network_player_name, sizeof(ci->client_name));
|
ttd_strlcpy(ci->client_name, _network_player_name, sizeof(ci->client_name));
|
||||||
NetworkUpdateClientInfo(NETWORK_SERVER_INDEX);
|
NetworkUpdateClientInfo(NETWORK_SERVER_INDEX);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -100,7 +100,7 @@ void CDECL NetworkTextMessage(NetworkAction action, uint16 color, bool self_send
|
|||||||
char temp[1024];
|
char temp[1024];
|
||||||
|
|
||||||
va_start(va, str);
|
va_start(va, str);
|
||||||
vsprintf(buf, str, va);
|
vsnprintf(buf, lengthof(buf), str, va);
|
||||||
va_end(va);
|
va_end(va);
|
||||||
|
|
||||||
switch (action) {
|
switch (action) {
|
||||||
@@ -499,7 +499,7 @@ void NetworkCloseClient(NetworkClientState *cs)
|
|||||||
|
|
||||||
GetString(str, STR_NETWORK_ERR_CLIENT_GENERAL + errorno);
|
GetString(str, STR_NETWORK_ERR_CLIENT_GENERAL + errorno);
|
||||||
|
|
||||||
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str);
|
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str);
|
||||||
|
|
||||||
// Inform other clients of this... strange leaving ;)
|
// Inform other clients of this... strange leaving ;)
|
||||||
FOR_ALL_CLIENTS(new_cs) {
|
FOR_ALL_CLIENTS(new_cs) {
|
||||||
|
|||||||
@@ -349,7 +349,7 @@ DEF_CLIENT_RECEIVE_COMMAND(PACKET_SERVER_CLIENT_INFO)
|
|||||||
if (ci != NULL) {
|
if (ci != NULL) {
|
||||||
if (playas == ci->client_playas && strcmp(name, ci->client_name) != 0) {
|
if (playas == ci->client_playas && strcmp(name, ci->client_name) != 0) {
|
||||||
// Client name changed, display the change
|
// Client name changed, display the change
|
||||||
NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, name);
|
NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, "%s", name);
|
||||||
} else if (playas != ci->client_playas) {
|
} else if (playas != ci->client_playas) {
|
||||||
// The player changed from client-player..
|
// The player changed from client-player..
|
||||||
// Do not display that for now
|
// Do not display that for now
|
||||||
@@ -666,7 +666,7 @@ DEF_CLIENT_RECEIVE_COMMAND(PACKET_SERVER_ERROR_QUIT)
|
|||||||
|
|
||||||
ci = NetworkFindClientInfoFromIndex(index);
|
ci = NetworkFindClientInfoFromIndex(index);
|
||||||
if (ci != NULL) {
|
if (ci != NULL) {
|
||||||
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, str);
|
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, "%s", str);
|
||||||
|
|
||||||
// The client is gone, give the NetworkClientInfo free
|
// The client is gone, give the NetworkClientInfo free
|
||||||
ci->client_index = NETWORK_EMPTY_INDEX;
|
ci->client_index = NETWORK_EMPTY_INDEX;
|
||||||
@@ -684,11 +684,11 @@ DEF_CLIENT_RECEIVE_COMMAND(PACKET_SERVER_QUIT)
|
|||||||
NetworkClientInfo *ci;
|
NetworkClientInfo *ci;
|
||||||
|
|
||||||
index = NetworkRecv_uint16(MY_CLIENT, p);
|
index = NetworkRecv_uint16(MY_CLIENT, p);
|
||||||
NetworkRecv_string(MY_CLIENT, p, str, 100);
|
NetworkRecv_string(MY_CLIENT, p, str, lengthof(str));
|
||||||
|
|
||||||
ci = NetworkFindClientInfoFromIndex(index);
|
ci = NetworkFindClientInfoFromIndex(index);
|
||||||
if (ci != NULL) {
|
if (ci != NULL) {
|
||||||
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, str);
|
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, "%s", str);
|
||||||
|
|
||||||
// The client is gone, give the NetworkClientInfo free
|
// The client is gone, give the NetworkClientInfo free
|
||||||
ci->client_index = NETWORK_EMPTY_INDEX;
|
ci->client_index = NETWORK_EMPTY_INDEX;
|
||||||
|
|||||||
@@ -162,7 +162,7 @@ DEF_SERVER_SEND_COMMAND_PARAM(PACKET_SERVER_ERROR)(NetworkClientState *cs, Netwo
|
|||||||
|
|
||||||
DEBUG(net, 2)("[NET] %s made an error (%s) and his connection is closed", client_name, str);
|
DEBUG(net, 2)("[NET] %s made an error (%s) and his connection is closed", client_name, str);
|
||||||
|
|
||||||
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str);
|
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str);
|
||||||
|
|
||||||
FOR_ALL_CLIENTS(new_cs) {
|
FOR_ALL_CLIENTS(new_cs) {
|
||||||
if (new_cs->status > STATUS_AUTH && new_cs != cs) {
|
if (new_cs->status > STATUS_AUTH && new_cs != cs) {
|
||||||
@@ -904,7 +904,7 @@ DEF_SERVER_RECEIVE_COMMAND(PACKET_CLIENT_ERROR)
|
|||||||
|
|
||||||
DEBUG(net, 2)("[NET] %s reported an error and is closing his connection (%s)", client_name, str);
|
DEBUG(net, 2)("[NET] %s reported an error and is closing his connection (%s)", client_name, str);
|
||||||
|
|
||||||
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str);
|
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str);
|
||||||
|
|
||||||
FOR_ALL_CLIENTS(new_cs) {
|
FOR_ALL_CLIENTS(new_cs) {
|
||||||
if (new_cs->status > STATUS_AUTH) {
|
if (new_cs->status > STATUS_AUTH) {
|
||||||
@@ -929,11 +929,11 @@ DEF_SERVER_RECEIVE_COMMAND(PACKET_CLIENT_QUIT)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
NetworkRecv_string(cs, p, str, 100);
|
NetworkRecv_string(cs, p, str, lengthof(str));
|
||||||
|
|
||||||
NetworkGetClientName(client_name, sizeof(client_name), cs);
|
NetworkGetClientName(client_name, sizeof(client_name), cs);
|
||||||
|
|
||||||
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str);
|
NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str);
|
||||||
|
|
||||||
FOR_ALL_CLIENTS(new_cs) {
|
FOR_ALL_CLIENTS(new_cs) {
|
||||||
if (new_cs->status > STATUS_AUTH) {
|
if (new_cs->status > STATUS_AUTH) {
|
||||||
@@ -1108,7 +1108,7 @@ DEF_SERVER_RECEIVE_COMMAND(PACKET_CLIENT_SET_NAME)
|
|||||||
if (ci != NULL) {
|
if (ci != NULL) {
|
||||||
// Display change
|
// Display change
|
||||||
if (NetworkFindName(client_name)) {
|
if (NetworkFindName(client_name)) {
|
||||||
NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, client_name);
|
NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, "%s", client_name);
|
||||||
ttd_strlcpy(ci->client_name, client_name, sizeof(ci->client_name));
|
ttd_strlcpy(ci->client_name, client_name, sizeof(ci->client_name));
|
||||||
NetworkUpdateClientInfo(ci->client_index);
|
NetworkUpdateClientInfo(ci->client_index);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -62,7 +62,7 @@ void CDECL AddTextMessage(uint16 color, uint8 duration, const char *message, ...
|
|||||||
int length;
|
int length;
|
||||||
|
|
||||||
va_start(va, message);
|
va_start(va, message);
|
||||||
vsprintf(buf, message, va);
|
vsnprintf(buf, lengthof(buf), message, va);
|
||||||
va_end(va);
|
va_end(va);
|
||||||
|
|
||||||
/* Special color magic */
|
/* Special color magic */
|
||||||
|
|||||||
Reference in New Issue
Block a user