Pages: [1]
  Print  
Author Topic: bufferoverflow in ioquake3 < revision1025  (Read 3053 times)
Fuddl
Nub


Cakes 0
Posts: 18



« on: December 31, 2006, 10:51:12 am »

hi guys,

some seconds ago, ludwig nussel commited a fix for a buffer overflow in the ioq3 engine < svn revision 1025.

c&p from the commit mail:

Code:
Author: ludwig
Date: 2006-12-31 10:36:42 -0500 (Sun, 31 Dec 2006)
New Revision: 1025

Modified:
   trunk/code/qcommon/net_chan.c
   trunk/code/server/sv_client.c
Log:
fix buffer overflow and format string bug in auth server response
processing


Modified: trunk/code/qcommon/net_chan.c
===================================================================
--- trunk/code/qcommon/net_chan.c 2006-12-30 16:16:25 UTC (rev 1024)
+++ trunk/code/qcommon/net_chan.c 2006-12-31 15:36:42 UTC (rev 1025)
@@ -719,7 +719,7 @@
  string[3] = -1;
 
  va_start( argptr, format );
- vsprintf( string+4, format, argptr );
+ vsnprintf( string+4, sizeof(string)-4, format, argptr );
  va_end( argptr );
 
  // send the datagram

Modified: trunk/code/server/sv_client.c
===================================================================
--- trunk/code/server/sv_client.c 2006-12-30 16:16:25 UTC (rev 1024)
+++ trunk/code/server/sv_client.c 2006-12-31 15:36:42 UTC (rev 1025)
@@ -149,7 +149,6 @@
  int i;
  char *s;
  char *r;
- char ret[1024];
 
  if ( !NET_CompareBaseAdr( from, svs.authorizeAddress ) ) {
  Com_Printf( "SV_AuthorizeIpPacket: not from authorize server\n" );
@@ -195,8 +194,7 @@
  if (!r) {
  NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, "print\nAwaiting CD key authorization\n" );
  } else {
- sprintf(ret, "print\n%s\n", r);
- NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, ret );
+ NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, "print\n%s\n", r);
  }
  // clear the challenge record so it won't timeout and let them through
  Com_Memset( &svs.challenges[i], 0, sizeof( svs.challenges[i] ) );
@@ -207,8 +205,7 @@
  if (!r) {
  NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, "print\nSomeone is using this CD Key\n" );
  } else {
- sprintf(ret, "print\n%s\n", r);
- NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, ret );
+ NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, "print\n%s\n", r );
  }
 
  // clear the challenge record so it won't timeout and let them through

perhaps it wouldn't be a too bad idea to seperate seperate
Logged
Pages: [1]
  Print  
 
Jump to: