Module Name: src
Committed By: dholland
Date: Mon Jun 29 23:05:33 UTC 2009
Modified Files:
src/games/hack: hack.do_name.c hack.h hack.invent.c hack.main.c
hack.rip.c hack.topl.c hack.unix.c
Log Message:
Fix two serious string-handling bugs (one exploitable, one probably
exploitable) and also add proper checking/paranoia in several other
places.
To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.10 src/games/hack/hack.do_name.c
cvs rdiff -u -r1.12 -r1.13 src/games/hack/hack.h src/games/hack/hack.invent.c \
src/games/hack/hack.main.c src/games/hack/hack.unix.c
cvs rdiff -u -r1.10 -r1.11 src/games/hack/hack.rip.c \
src/games/hack/hack.topl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/games/hack/hack.do_name.c
diff -u src/games/hack/hack.do_name.c:1.9 src/games/hack/hack.do_name.c:1.10
--- src/games/hack/hack.do_name.c:1.9 Sun Jun 7 20:13:18 2009
+++ src/games/hack/hack.do_name.c Mon Jun 29 23:05:33 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.do_name.c,v 1.9 2009/06/07 20:13:18 dholland Exp $ */
+/* $NetBSD: hack.do_name.c,v 1.10 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.do_name.c,v 1.9 2009/06/07 20:13:18 dholland Exp $");
+__RCSID("$NetBSD: hack.do_name.c,v 1.10 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
#include <stdlib.h>
@@ -279,7 +279,7 @@
gn = ghostnames[rn2(SIZE(ghostnames))];
if (!rn2(2))
(void)
- strcpy((char *) mtmp->mextra, !rn2(5) ? plname : gn);
+ strlcpy((char *) mtmp->mextra, !rn2(5) ? plname : gn, mtmp->mxlth);
}
(void) snprintf(buf, sizeof(buf), "%s's ghost", gn);
}
Index: src/games/hack/hack.h
diff -u src/games/hack/hack.h:1.12 src/games/hack/hack.h:1.13
--- src/games/hack/hack.h:1.12 Sun Jun 7 21:04:54 2009
+++ src/games/hack/hack.h Mon Jun 29 23:05:33 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.h,v 1.12 2009/06/07 21:04:54 dholland Exp $ */
+/* $NetBSD: hack.h,v 1.13 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -202,7 +202,7 @@
extern char SAVEF[];
extern char fut_geno[60]; /* idem */
extern char genocided[60]; /* defined in Decl.c */
-extern char lock[];
+extern char lock[PL_NSIZ + 4];
extern const char mlarge[];
extern char morc;
extern const char nul[];
Index: src/games/hack/hack.invent.c
diff -u src/games/hack/hack.invent.c:1.12 src/games/hack/hack.invent.c:1.13
--- src/games/hack/hack.invent.c:1.12 Sun Jun 7 20:13:18 2009
+++ src/games/hack/hack.invent.c Mon Jun 29 23:05:33 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.invent.c,v 1.12 2009/06/07 20:13:18 dholland Exp $ */
+/* $NetBSD: hack.invent.c,v 1.13 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,9 +63,10 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.invent.c,v 1.12 2009/06/07 20:13:18 dholland Exp $");
+__RCSID("$NetBSD: hack.invent.c,v 1.13 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
+#include <assert.h>
#include <stdlib.h>
#include "hack.h"
#include "extern.h"
@@ -555,7 +556,7 @@
char buf[BUFSZ];
char *ip;
char sym;
- int oletct = 0, iletct = 0;
+ unsigned oletct = 0, iletct = 0;
boolean allflag = FALSE;
char olets[20], ilets[20];
int (*ckfn)(struct obj *) =
@@ -586,6 +587,7 @@
if (invent)
ilets[iletct++] = 'a';
ilets[iletct] = 0;
+ assert(iletct < sizeof(ilets));
}
pline("What kinds of thing do you want to %s? [%s] ",
word, ilets);
@@ -614,6 +616,7 @@
olets[oletct++] = sym;
olets[oletct] = 0;
}
+ assert(oletct < sizeof(olets));
} else
pline("You don't have any %c's.", sym);
}
@@ -723,7 +726,7 @@
{
struct obj *otmp;
char ilet;
- int ct = 0;
+ unsigned ct = 0;
char any[BUFSZ];
morc = 0; /* just to be sure */
@@ -746,6 +749,7 @@
ilet = 'A';
}
any[ct] = 0;
+ assert(ct < sizeof(any));
cornline(2, any);
}
@@ -755,7 +759,7 @@
/* Changed to one type only, so he doesnt have to type cr */
char c, ilet;
char stuff[BUFSZ];
- int stct;
+ unsigned stct;
struct obj *otmp;
boolean billx = inshop() && doinvbill(0);
boolean unpd = FALSE;
@@ -781,6 +785,7 @@
if (billx)
stuff[stct++] = 'x';
stuff[stct] = 0;
+ assert(stct < sizeof(stuff));
if (stct > 1) {
pline("What type of object [%s] do you want an inventory of? ",
@@ -817,6 +822,8 @@
ilet = 'A';
}
stuff[stct] = '\0';
+ assert(stct < sizeof(stuff));
+
if (stct == 0)
pline("You have no such objects.");
else
Index: src/games/hack/hack.main.c
diff -u src/games/hack/hack.main.c:1.12 src/games/hack/hack.main.c:1.13
--- src/games/hack/hack.main.c:1.12 Sun Jun 7 20:13:18 2009
+++ src/games/hack/hack.main.c Mon Jun 29 23:05:33 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.main.c,v 1.12 2009/06/07 20:13:18 dholland Exp $ */
+/* $NetBSD: hack.main.c,v 1.13 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.main.c,v 1.12 2009/06/07 20:13:18 dholland Exp $");
+__RCSID("$NetBSD: hack.main.c,v 1.13 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
#include <signal.h>
@@ -300,7 +300,8 @@
}
*gp = 0;
} else
- (void) strcpy(genocided, sfoo);
+ (void) strlcpy(genocided, sfoo,
+ sizeof(genocided));
(void) strcpy(fut_geno, genocided);
}
}
@@ -478,12 +479,12 @@
glo(int foo)
{
/* construct the string xlock.n */
- char *tf;
+ size_t pos;
- tf = lock;
- while (*tf && *tf != '.')
- tf++;
- (void) sprintf(tf, ".%d", foo);
+ pos = 0;
+ while (lock[pos] && lock[pos] != '.')
+ pos++;
+ (void) snprintf(lock + pos, sizeof(lock) - pos, ".%d", foo);
}
/*
Index: src/games/hack/hack.unix.c
diff -u src/games/hack/hack.unix.c:1.12 src/games/hack/hack.unix.c:1.13
--- src/games/hack/hack.unix.c:1.12 Sun Jun 7 20:13:18 2009
+++ src/games/hack/hack.unix.c Mon Jun 29 23:05:33 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.unix.c,v 1.12 2009/06/07 20:13:18 dholland Exp $ */
+/* $NetBSD: hack.unix.c,v 1.13 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.unix.c,v 1.12 2009/06/07 20:13:18 dholland Exp $");
+__RCSID("$NetBSD: hack.unix.c,v 1.13 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
/* This file collects some Unix dependencies; hack.pager.c contains some more */
@@ -192,11 +192,11 @@
if ((np = strchr(path, ':')) == NULL)
np = path + strlen(path); /* point to end str */
if (np - path <= 1) /* %% */
- (void) strcpy(filename, name);
+ (void) strlcpy(filename, name, sizeof(filename));
else {
- (void) strncpy(filename, path, np - path);
- filename[np - path] = '/';
- (void) strcpy(filename + (np - path) + 1, name);
+ (void) snprintf(filename, sizeof(filename),
+ "%.*s/%s",
+ (int)(np - path), path, name);
}
if (stat(filename, &hbuf) == 0)
return;
Index: src/games/hack/hack.rip.c
diff -u src/games/hack/hack.rip.c:1.10 src/games/hack/hack.rip.c:1.11
--- src/games/hack/hack.rip.c:1.10 Sun Jun 7 20:13:18 2009
+++ src/games/hack/hack.rip.c Mon Jun 29 23:05:33 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.rip.c,v 1.10 2009/06/07 20:13:18 dholland Exp $ */
+/* $NetBSD: hack.rip.c,v 1.11 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.rip.c,v 1.10 2009/06/07 20:13:18 dholland Exp $");
+__RCSID("$NetBSD: hack.rip.c,v 1.11 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
#include "hack.h"
@@ -101,7 +101,7 @@
!strcmp(killer, "starvation") ? "" :
strchr(vowels, *killer) ? " an" : " a");
center(8, buf);
- (void) strcpy(buf, killer);
+ (void) strlcpy(buf, killer, sizeof(buf));
{
int i1;
if ((i1 = strlen(buf)) > 16) {
Index: src/games/hack/hack.topl.c
diff -u src/games/hack/hack.topl.c:1.10 src/games/hack/hack.topl.c:1.11
--- src/games/hack/hack.topl.c:1.10 Sun Jun 7 20:13:18 2009
+++ src/games/hack/hack.topl.c Mon Jun 29 23:05:33 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.topl.c,v 1.10 2009/06/07 20:13:18 dholland Exp $ */
+/* $NetBSD: hack.topl.c,v 1.11 2009/06/29 23:05:33 dholland Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.topl.c,v 1.10 2009/06/07 20:13:18 dholland Exp $");
+__RCSID("$NetBSD: hack.topl.c,v 1.11 2009/06/29 23:05:33 dholland Exp $");
#endif /* not lint */
#include <stdlib.h>
@@ -212,7 +212,7 @@
{
char pbuf[BUFSZ];
char *bp = pbuf, *tl;
- int n, n0;
+ int n, n0, tlpos, dead;
if (!line || !*line)
return;
@@ -240,8 +240,9 @@
if (flags.toplin == 1)
more();
remember_topl();
+ dead = 0;
toplines[0] = 0;
- while (n0) {
+ while (n0 && !dead) {
if (n0 >= CO) {
/* look for appropriate cut point */
n0 = 0;
@@ -255,7 +256,14 @@
if (!n0)
n0 = CO - 2;
}
- (void) strncpy((tl = eos(toplines)), bp, n0);
+ tlpos = strlen(toplines);
+ tl = toplines + tlpos;
+ /* avoid overflow */
+ if (tlpos + n0 > (int)sizeof(toplines) - 1) {
+ n0 = sizeof(toplines) - 1 - tlpos;
+ dead = 1;
+ }
+ (void) memcpy(tl, bp, n0);
tl[n0] = 0;
bp += n0;
@@ -265,7 +273,7 @@
n0 = strlen(bp);
if (n0 && tl[0])
- (void) strcat(tl, "\n");
+ (void) strlcat(toplines, "\n", sizeof(toplines));
}
redotoplin();
}
