Follow-up Comment #3, bug #20003 (project freeciv):

Thank you for your patch which fixes part A].

As to part B], it seems that the infinite loop comes from this part of
common/generate_packets.py:
<pre>
   544          else:
   545              return '''
   546  for (;;) {
   547    int i;
   548  
   549    dio_get_uint8(&din, &i);
   550    if(i == 255) {
   551      break;
   552    }
   553    if(i > %(array_size_u)s) {
   554      log_error("packets_gen.c: WARNING: ignoring intra array diff");
   555    } else {
   556      %(c)s
   557    }
   558  }'''%self.get_dict(vars())
</pre>

The only way out of the for(;;) is if we manage to read 255.
(What seems odd is that the exploit seems to send many 0xff's, and I would
have expected the opposite)

    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?20003>

_______________________________________________
  Message sent via/by Gna!
  http://gna.org/


_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev

Reply via email to