(svn r2899) -Fix: Several format string vulnerabilities and buffer overflows in the network code
--- a/console_cmds.c Sun Aug 28 10:59:34 2005 +0000
+++ b/console_cmds.c Sun Aug 28 12:24:57 2005 +0000
@@ -1132,7 +1132,7 @@
SEND_COMMAND(PACKET_CLIENT_SET_NAME)(_network_player_name);
} else {
if (NetworkFindName(_network_player_name)) {
- NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, _network_player_name);
+ NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, "%s", _network_player_name);
ttd_strlcpy(ci->client_name, _network_player_name, sizeof(ci->client_name));
NetworkUpdateClientInfo(NETWORK_SERVER_INDEX);
}
--- a/network.c Sun Aug 28 10:59:34 2005 +0000
+++ b/network.c Sun Aug 28 12:24:57 2005 +0000
@@ -100,7 +100,7 @@
char temp[1024];
va_start(va, str);
- vsprintf(buf, str, va);
+ vsnprintf(buf, lengthof(buf), str, va);
va_end(va);
switch (action) {
@@ -499,7 +499,7 @@
GetString(str, STR_NETWORK_ERR_CLIENT_GENERAL + errorno);
- NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str);
+ NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str);
// Inform other clients of this... strange leaving ;)
FOR_ALL_CLIENTS(new_cs) {
--- a/network_client.c Sun Aug 28 10:59:34 2005 +0000
+++ b/network_client.c Sun Aug 28 12:24:57 2005 +0000
@@ -349,7 +349,7 @@
if (ci != NULL) {
if (playas == ci->client_playas && strcmp(name, ci->client_name) != 0) {
// Client name changed, display the change
- NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, name);
+ NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, "%s", name);
} else if (playas != ci->client_playas) {
// The player changed from client-player..
// Do not display that for now
@@ -666,7 +666,7 @@
ci = NetworkFindClientInfoFromIndex(index);
if (ci != NULL) {
- NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, str);
+ NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, "%s", str);
// The client is gone, give the NetworkClientInfo free
ci->client_index = NETWORK_EMPTY_INDEX;
@@ -684,11 +684,11 @@
NetworkClientInfo *ci;
index = NetworkRecv_uint16(MY_CLIENT, p);
- NetworkRecv_string(MY_CLIENT, p, str, 100);
+ NetworkRecv_string(MY_CLIENT, p, str, lengthof(str));
ci = NetworkFindClientInfoFromIndex(index);
if (ci != NULL) {
- NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, str);
+ NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, "%s", str);
// The client is gone, give the NetworkClientInfo free
ci->client_index = NETWORK_EMPTY_INDEX;
--- a/network_server.c Sun Aug 28 10:59:34 2005 +0000
+++ b/network_server.c Sun Aug 28 12:24:57 2005 +0000
@@ -162,7 +162,7 @@
DEBUG(net, 2)("[NET] %s made an error (%s) and his connection is closed", client_name, str);
- NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str);
+ NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str);
FOR_ALL_CLIENTS(new_cs) {
if (new_cs->status > STATUS_AUTH && new_cs != cs) {
@@ -904,7 +904,7 @@
DEBUG(net, 2)("[NET] %s reported an error and is closing his connection (%s)", client_name, str);
- NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str);
+ NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str);
FOR_ALL_CLIENTS(new_cs) {
if (new_cs->status > STATUS_AUTH) {
@@ -929,11 +929,11 @@
return;
}
- NetworkRecv_string(cs, p, str, 100);
+ NetworkRecv_string(cs, p, str, lengthof(str));
NetworkGetClientName(client_name, sizeof(client_name), cs);
- NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str);
+ NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str);
FOR_ALL_CLIENTS(new_cs) {
if (new_cs->status > STATUS_AUTH) {
@@ -1108,7 +1108,7 @@
if (ci != NULL) {
// Display change
if (NetworkFindName(client_name)) {
- NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, client_name);
+ NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, "%s", client_name);
ttd_strlcpy(ci->client_name, client_name, sizeof(ci->client_name));
NetworkUpdateClientInfo(ci->client_index);
}
--- a/texteff.c Sun Aug 28 10:59:34 2005 +0000
+++ b/texteff.c Sun Aug 28 12:24:57 2005 +0000
@@ -62,7 +62,7 @@
int length;
va_start(va, message);
- vsprintf(buf, message, va);
+ vsnprintf(buf, lengthof(buf), message, va);
va_end(va);
/* Special color magic */