[28850] in bugtraq
Re: #!ICadv-02.09.03: nethack 3.4.0 local buffer overflow
daemon@ATHENA.MIT.EDU (Peter Pentchev)
Tue Feb 11 11:35:39 2003
Date: Tue, 11 Feb 2003 16:08:28 +0200
From: Peter Pentchev <roam@ringlet.net>
To: tsao_4sh0@hushmail.com
Message-ID: <20030211140828.GA373@straylight.oblivion.bg>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="cNdxnHkX5QqsyA0e"
Content-Disposition: inline
In-Reply-To: <200302090718.h197Io8S015122@mailserver2.hushmail.com>
--cNdxnHkX5QqsyA0e
Content-Type: text/plain; charset=windows-1251
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Feb 08, 2003 at 11:18:49PM -0800, tsao_4sh0@hushmail.com wrote:
>=20
> -----BEGIN PGP SIGNED MESSAGE-----
>=20
> ###################################################
>=20
> /usr/games/lib/nethackdir/nethack - LOCALLY EXPLOITABLE BUFFER
>=20
> try th1s: nethack -s `perl -e "print 'A' x 1000"`
Here is a bandaid that I just committed to the FreeBSD Ports Collection
and also submitted to the NetHack developers. I say 'bandaid', because
there might be a lot of other strcat() weirdnesses in the NetHack source
:(
The patch is also available at
http://people.FreeBSD.org/~roam/devel/nethack/topten.c.patch
G'luck,
Peter
--=20
Peter Pentchev roam@ringlet.net roam@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
I've heard that this sentence is a rumor.
--- src/topten.c Thu Mar 21 01:43:19 2002
+++ src/topten.c Tue Feb 11 15:36:23 2003
@@ -855,8 +855,15 @@
if (playerct < 1) Strcat(pbuf, "you.");
else {
if (playerct > 1) Strcat(pbuf, "any of ");
- for (i =3D 0; i < playerct; i++) {
- Strcat(pbuf, players[i]);
+ for (i =3D 0; i < playerct && strlen(pbuf) < sizeof(pbuf) - 2;
+ i++) {
+ size_t len =3D strlen(pbuf), rest;
+ if (strlen(players[i]) > sizeof(pbuf) - len - 2) {
+ rest =3D sizeof(pbuf) - strlen(pbuf) - 2;
+ memcpy(pbuf + len, players[i], rest);
+ pbuf[len + rest] =3D '\0';
+ } else
+ Strcat(pbuf, players[i]);
if (i < playerct-1) {
if (players[i][0] =3D=3D '-' &&
index("pr", players[i][1]) && players[i][2] =3D=3D 0)
--cNdxnHkX5QqsyA0e
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+SQPc7Ri2jRYZRVMRAk1FAJ9pSXvbQhwarvS12JrL381v096JJwCeP83B
aBGDAkBKf7UsQOI8KpTvTlA=
=XZso
-----END PGP SIGNATURE-----
--cNdxnHkX5QqsyA0e--
