[12769] in bugtraq
FICS buffer overflow
daemon@ATHENA.MIT.EDU (canul)
Tue Nov 30 11:48:01 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.20.9911291455330.12102-100000@halflife.dyn.insomnia.org>
Date: Mon, 29 Nov 1999 14:57:30 -0500
Reply-To: canul <canul@HALFLIFE.DYN.INSOMNIA.ORG>
From: canul <canul@HALFLIFE.DYN.INSOMNIA.ORG>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
While documenting the FICS (free internet chess server) protocol for
purposes of an alternative to the xboard program, I encountered what looks
to be a potential for attack. This vulnerability has been verified by one
of the largest fics based systems, chess.net <http://www.chess.net>.
The problem involves unchecked user input to a fixed length
string. Non-denial of services exploitation of the questionable code looks
possible but not trivial, as there is not room in the buffer for shell
code, but putting it elsewhere is certainly a possibility. I have written
a patch that resolves the problem, in some fashion.
-------------------------------------------------------------------------------
--- gameproc.c Tue Nov 16 13:52:31 1999
+++ gameproc.1.c Sat Nov 20 19:45:08 1999
@@ -24,6 +24,7 @@
Second is obsproc.c.
DAV 96/7/1 Added avail stuff
*/
+/* canul@halflife.dyn.insomnia.org com_boards buffer overflow fix */
#include "stdinclude.h"
@@ -1445,6 +1446,16 @@
if (param[0].type == TYPE_WORD)
category = param[0].val.word;
+
+#ifndef CATEGORY_LIMIT
+# define CATEGORY_LIMIT 100
+#endif
+ if (strlen(category) > CATEGORY_LIMIT)
+ {
+ pprintf(p, "That category exceeds the string limit\n");
+ return COM_OK;
+ }
+
if (category) {
pprintf(p, "Boards Available For Category %s:\n", category);
sprintf(dname, "%s/%s", board_dir, category);
