summaryrefslogtreecommitdiff
path: root/games/crossfire-server/patches
diff options
context:
space:
mode:
authoradrianp <adrianp@pkgsrc.org>2006-06-11 11:36:47 +0000
committeradrianp <adrianp@pkgsrc.org>2006-06-11 11:36:47 +0000
commite3bca29e65c8d18b55047989d1bf17a020ae64f4 (patch)
tree79332d7dfc502e25d6193d401fe3dd4d5b95c478 /games/crossfire-server/patches
parent36d9b55da2a81b918349496fde15d025e261dfab (diff)
downloadpkgsrc-e3bca29e65c8d18b55047989d1bf17a020ae64f4.tar.gz
Security fix for CAN-2006-1236
PKGREVISON bumped
Diffstat (limited to 'games/crossfire-server/patches')
-rw-r--r--games/crossfire-server/patches/patch-ab217
1 files changed, 217 insertions, 0 deletions
diff --git a/games/crossfire-server/patches/patch-ab b/games/crossfire-server/patches/patch-ab
new file mode 100644
index 00000000000..98e94086bd5
--- /dev/null
+++ b/games/crossfire-server/patches/patch-ab
@@ -0,0 +1,217 @@
+$NetBSD: patch-ab,v 1.1 2006/06/11 11:36:47 adrianp Exp $
+
+--- socket/request.c.orig 2006-02-25 08:02:11.000000000 +0000
++++ socket/request.c
+@@ -109,7 +109,7 @@ short atnr_cs_stat[NROFATTACKS] = {CS_ST
+ /** This is the Setup cmd - easy first implementation */
+ void SetUp(char *buf, int len, NewSocket *ns)
+ {
+- int s;
++ int s, slen;
+ char *cmd, *param, cmdback[HUGE_BUF];
+
+ /* run through the cmds of setup
+@@ -139,40 +139,40 @@ void SetUp(char *buf, int len, NewSocket
+ buf[s++]=0;
+ while (buf[s] == ' ') s++;
+
+- strcat(cmdback, " ");
+- strcat(cmdback, cmd);
+- strcat(cmdback, " ");
+-
++ slen = strlen(cmdback);
++ safe_strcat(cmdback, " ", &slen, HUGE_BUF);
++ safe_strcat(cmdback, cmd, &slen, HUGE_BUF);
++ safe_strcat(cmdback, " ", &slen, HUGE_BUF);
+
+ if (!strcmp(cmd,"sound")) {
+ ns->sound = atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ }
+ else if (!strcmp(cmd,"exp64")) {
+ ns->exp64 = atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd, "spellmon")) {
+ ns->monitor_spells = atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"darkness")) {
+ ns->darkness = atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"map1cmd")) {
+ if (atoi(param)) ns->mapmode = Map1Cmd;
+ /* if beyond this size, need to use map1cmd no matter what */
+ if (ns->mapx>11 || ns->mapy>11) ns->mapmode = Map1Cmd;
+- strcat(cmdback, ns->mapmode == Map1Cmd?"1":"0");
++ safe_strcat(cmdback, ns->mapmode == Map1Cmd?"1":"0", &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"map1acmd")) {
+ if (atoi(param)) ns->mapmode = Map1aCmd;
+ /* if beyond this size, need to use map1acmd no matter what */
+ if (ns->mapx>11 || ns->mapy>11) ns->mapmode = Map1aCmd;
+- strcat(cmdback, ns->mapmode == Map1aCmd?"1":"0");
++ safe_strcat(cmdback, ns->mapmode == Map1aCmd?"1":"0", &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"newmapcmd")) {
+ ns->newmapcmd= atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"facecache")) {
+ ns->facecache = atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"faceset")) {
+ char tmpbuf[20];
+ int q = atoi(param);
+@@ -180,7 +180,7 @@ void SetUp(char *buf, int len, NewSocket
+ if (is_valid_faceset(q))
+ ns->faceset=q;
+ sprintf(tmpbuf,"%d", ns->faceset);
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ /* if the client is using faceset, it knows about image2 command */
+ ns->image2=1;
+ } else if (!strcmp(cmd,"itemcmd")) {
+@@ -196,7 +196,7 @@ void SetUp(char *buf, int len, NewSocket
+ ns->itemcmd = q;
+ sprintf(tmpbuf,"%d", ns->itemcmd);
+ }
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"mapsize")) {
+ int x, y=0;
+ char tmpbuf[MAX_BUF], *cp;
+@@ -209,7 +209,7 @@ void SetUp(char *buf, int len, NewSocket
+ }
+ if (x < 9 || y < 9 || x>MAP_CLIENT_X || y > MAP_CLIENT_Y) {
+ sprintf(tmpbuf," %dx%d", MAP_CLIENT_X, MAP_CLIENT_Y);
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ } else {
+ ns->mapx = x;
+ ns->mapy = y;
+@@ -217,34 +217,35 @@ void SetUp(char *buf, int len, NewSocket
+ * param as given to us in case it gets parsed differently.
+ */
+ sprintf(tmpbuf,"%dx%d", x,y);
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ /* If beyond this size and still using orig map command, need to
+ * go to map1cmd.
+ */
+ if ((x>11 || y>11) && ns->mapmode == Map0Cmd) ns->mapmode = Map1Cmd;
+ }
+ } else if (!strcmp(cmd,"extendedMapInfos")) {
+- /* Added by tchize
+- * prepare to use the mapextended command
+- */
++ /* Added by tchize
++ * prepare to use the mapextended command
++ */
+ char tmpbuf[20];
+- ns->ext_mapinfos = (atoi(param));
++ ns->ext_mapinfos = (atoi(param));
+ sprintf(tmpbuf,"%d", ns->ext_mapinfos);
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"extendedTextInfos")) {
+- /* Added by tchize
+- * prepare to use the extended text commands
+- * Client toggle this to non zero to get exttext
+- */
++ /* Added by tchize
++ * prepare to use the extended text commands
++ * Client toggle this to non zero to get exttext
++ */
+ char tmpbuf[20];
+- ns->has_readable_type = (atoi(param));
++
++ ns->has_readable_type = (atoi(param));
+ sprintf(tmpbuf,"%d", ns->has_readable_type);
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ } else {
+ /* Didn't get a setup command we understood -
+ * report a failure to the client.
+ */
+- strcat(cmdback, "FALSE");
++ safe_strcat(cmdback, "FALSE", &slen, HUGE_BUF);
+ }
+ } /* for processing all the setup commands */
+ LOG(llevInfo,"SendBack SetupCmd:: %s\n", cmdback);
+@@ -619,7 +620,7 @@ void VersionCmd(char *buf, int len,NewSo
+ }
+ cp = strchr(cp+1, ' ');
+ if (cp) {
+- LOG(llevDebug,"CS: connection from client of type <%s>\n", cp);
++ LOG(llevDebug,"CS: connection from client of type <%s>, ip %s\n", cp, ns->host);
+
+ /* This is first implementation - i skip all beta DX clients with it
+ * Add later stuff here for other clients
+@@ -1925,12 +1926,12 @@ void send_skill_info(NewSocket *ns, char
+ int i;
+
+ sl.buf = malloc(MAXSOCKBUF);
+- strcpy(sl.buf,"replyinfo skill_info\n");
++ strcpy((char*)sl.buf,"replyinfo skill_info\n");
+ for (i=1; i< NUM_SKILLS; i++) {
+- sprintf(sl.buf + strlen(sl.buf), "%d:%s\n", i + CS_STAT_SKILLINFO,
++ sprintf((char*)sl.buf + strlen((char*)sl.buf), "%d:%s\n", i + CS_STAT_SKILLINFO,
+ skill_names[i]);
+ }
+- sl.len = strlen(sl.buf);
++ sl.len = strlen((char*)sl.buf);
+ if (sl.len > MAXSOCKBUF) {
+ LOG(llevError,"Buffer overflow in send_skill_info!\n");
+ fatal(0);
+@@ -1948,10 +1949,10 @@ void send_spell_paths (NewSocket *ns, ch
+ int i;
+
+ sl.buf = malloc(MAXSOCKBUF);
+- strcpy(sl.buf,"replyinfo spell_paths\n");
++ strcpy((char*)sl.buf,"replyinfo spell_paths\n");
+ for(i=0; i<NRSPELLPATHS; i++)
+- sprintf(sl.buf + strlen(sl.buf), "%d:%s\n", 1<<i, spellpathnames[i]);
+- sl.len = strlen(sl.buf);
++ sprintf((char*)sl.buf + strlen((char*)sl.buf), "%d:%s\n", 1<<i, spellpathnames[i]);
++ sl.len = strlen((char*)sl.buf);
+ if (sl.len > MAXSOCKBUF) {
+ LOG(llevError,"Buffer overflow in send_spell_paths!\n");
+ fatal(0);
+@@ -1986,7 +1987,7 @@ void esrv_update_spells(player *pl) {
+ }
+ if (flags !=0) {
+ sl.buf = malloc(MAXSOCKBUF);
+- strcpy(sl.buf,"updspell ");
++ strcpy((char*)sl.buf,"updspell ");
+ sl.len=strlen((char*)sl.buf);
+ SockList_AddChar(&sl, flags);
+ SockList_AddInt(&sl, spell->count);
+@@ -2010,7 +2011,7 @@ void esrv_remove_spell(player *pl, objec
+ return;
+ }
+ sl.buf = malloc(MAXSOCKBUF);
+- strcpy(sl.buf,"delspell ");
++ strcpy((char*)sl.buf,"delspell ");
+ sl.len=strlen((char*)sl.buf);
+ SockList_AddInt(&sl, spell->count);
+ Send_With_Handling(&pl->socket, &sl);
+@@ -2078,7 +2079,7 @@ void esrv_add_spells(player *pl, object
+ }
+ if (!pl->socket.monitor_spells) return;
+ sl.buf = malloc(MAXSOCKBUF);
+- strcpy(sl.buf,"addspell ");
++ strcpy((char*)sl.buf,"addspell ");
+ sl.len=strlen((char*)sl.buf);
+ if (!spell) {
+ for (spell=pl->ob->inv; spell!=NULL; spell=spell->below) {
+@@ -2099,7 +2100,7 @@ void esrv_add_spells(player *pl, object
+ if (sl.len > (MAXSOCKBUF - (26 + strlen(spell->name) +
+ (spell->msg?strlen(spell->msg):0)))) {
+ Send_With_Handling(&pl->socket, &sl);
+- strcpy(sl.buf,"addspell ");
++ strcpy((char*)sl.buf,"addspell ");
+ sl.len=strlen((char*)sl.buf);
+ }
+ append_spell(pl, &sl, spell);