diff options
author | adrianp <adrianp@pkgsrc.org> | 2006-06-11 11:36:47 +0000 |
---|---|---|
committer | adrianp <adrianp@pkgsrc.org> | 2006-06-11 11:36:47 +0000 |
commit | e3bca29e65c8d18b55047989d1bf17a020ae64f4 (patch) | |
tree | 79332d7dfc502e25d6193d401fe3dd4d5b95c478 /games/crossfire-server/patches | |
parent | 36d9b55da2a81b918349496fde15d025e261dfab (diff) | |
download | pkgsrc-e3bca29e65c8d18b55047989d1bf17a020ae64f4.tar.gz |
Security fix for CAN-2006-1236
PKGREVISON bumped
Diffstat (limited to 'games/crossfire-server/patches')
-rw-r--r-- | games/crossfire-server/patches/patch-ab | 217 |
1 files changed, 217 insertions, 0 deletions
diff --git a/games/crossfire-server/patches/patch-ab b/games/crossfire-server/patches/patch-ab new file mode 100644 index 00000000000..98e94086bd5 --- /dev/null +++ b/games/crossfire-server/patches/patch-ab @@ -0,0 +1,217 @@ +$NetBSD: patch-ab,v 1.1 2006/06/11 11:36:47 adrianp Exp $ + +--- socket/request.c.orig 2006-02-25 08:02:11.000000000 +0000 ++++ socket/request.c +@@ -109,7 +109,7 @@ short atnr_cs_stat[NROFATTACKS] = {CS_ST + /** This is the Setup cmd - easy first implementation */ + void SetUp(char *buf, int len, NewSocket *ns) + { +- int s; ++ int s, slen; + char *cmd, *param, cmdback[HUGE_BUF]; + + /* run through the cmds of setup +@@ -139,40 +139,40 @@ void SetUp(char *buf, int len, NewSocket + buf[s++]=0; + while (buf[s] == ' ') s++; + +- strcat(cmdback, " "); +- strcat(cmdback, cmd); +- strcat(cmdback, " "); +- ++ slen = strlen(cmdback); ++ safe_strcat(cmdback, " ", &slen, HUGE_BUF); ++ safe_strcat(cmdback, cmd, &slen, HUGE_BUF); ++ safe_strcat(cmdback, " ", &slen, HUGE_BUF); + + if (!strcmp(cmd,"sound")) { + ns->sound = atoi(param); +- strcat(cmdback, param); ++ safe_strcat(cmdback, param, &slen, HUGE_BUF); + } + else if (!strcmp(cmd,"exp64")) { + ns->exp64 = atoi(param); +- strcat(cmdback, param); ++ safe_strcat(cmdback, param, &slen, HUGE_BUF); + } else if (!strcmp(cmd, "spellmon")) { + ns->monitor_spells = atoi(param); +- strcat(cmdback, param); ++ safe_strcat(cmdback, param, &slen, HUGE_BUF); + } else if (!strcmp(cmd,"darkness")) { + ns->darkness = atoi(param); +- strcat(cmdback, param); ++ safe_strcat(cmdback, param, &slen, HUGE_BUF); + } else if (!strcmp(cmd,"map1cmd")) { + if (atoi(param)) ns->mapmode = Map1Cmd; + /* if beyond this size, need to use map1cmd no matter what */ + if (ns->mapx>11 || ns->mapy>11) ns->mapmode = Map1Cmd; +- strcat(cmdback, ns->mapmode == Map1Cmd?"1":"0"); ++ safe_strcat(cmdback, ns->mapmode == Map1Cmd?"1":"0", &slen, HUGE_BUF); + } else if (!strcmp(cmd,"map1acmd")) { + if (atoi(param)) ns->mapmode = Map1aCmd; + /* if beyond this size, need to use map1acmd no matter what */ + if (ns->mapx>11 || ns->mapy>11) ns->mapmode = Map1aCmd; +- strcat(cmdback, ns->mapmode == Map1aCmd?"1":"0"); ++ safe_strcat(cmdback, ns->mapmode == Map1aCmd?"1":"0", &slen, HUGE_BUF); + } else if (!strcmp(cmd,"newmapcmd")) { + ns->newmapcmd= atoi(param); +- strcat(cmdback, param); ++ safe_strcat(cmdback, param, &slen, HUGE_BUF); + } else if (!strcmp(cmd,"facecache")) { + ns->facecache = atoi(param); +- strcat(cmdback, param); ++ safe_strcat(cmdback, param, &slen, HUGE_BUF); + } else if (!strcmp(cmd,"faceset")) { + char tmpbuf[20]; + int q = atoi(param); +@@ -180,7 +180,7 @@ void SetUp(char *buf, int len, NewSocket + if (is_valid_faceset(q)) + ns->faceset=q; + sprintf(tmpbuf,"%d", ns->faceset); +- strcat(cmdback, tmpbuf); ++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF); + /* if the client is using faceset, it knows about image2 command */ + ns->image2=1; + } else if (!strcmp(cmd,"itemcmd")) { +@@ -196,7 +196,7 @@ void SetUp(char *buf, int len, NewSocket + ns->itemcmd = q; + sprintf(tmpbuf,"%d", ns->itemcmd); + } +- strcat(cmdback, tmpbuf); ++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF); + } else if (!strcmp(cmd,"mapsize")) { + int x, y=0; + char tmpbuf[MAX_BUF], *cp; +@@ -209,7 +209,7 @@ void SetUp(char *buf, int len, NewSocket + } + if (x < 9 || y < 9 || x>MAP_CLIENT_X || y > MAP_CLIENT_Y) { + sprintf(tmpbuf," %dx%d", MAP_CLIENT_X, MAP_CLIENT_Y); +- strcat(cmdback, tmpbuf); ++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF); + } else { + ns->mapx = x; + ns->mapy = y; +@@ -217,34 +217,35 @@ void SetUp(char *buf, int len, NewSocket + * param as given to us in case it gets parsed differently. + */ + sprintf(tmpbuf,"%dx%d", x,y); +- strcat(cmdback, tmpbuf); ++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF); + /* If beyond this size and still using orig map command, need to + * go to map1cmd. + */ + if ((x>11 || y>11) && ns->mapmode == Map0Cmd) ns->mapmode = Map1Cmd; + } + } else if (!strcmp(cmd,"extendedMapInfos")) { +- /* Added by tchize +- * prepare to use the mapextended command +- */ ++ /* Added by tchize ++ * prepare to use the mapextended command ++ */ + char tmpbuf[20]; +- ns->ext_mapinfos = (atoi(param)); ++ ns->ext_mapinfos = (atoi(param)); + sprintf(tmpbuf,"%d", ns->ext_mapinfos); +- strcat(cmdback, tmpbuf); ++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF); + } else if (!strcmp(cmd,"extendedTextInfos")) { +- /* Added by tchize +- * prepare to use the extended text commands +- * Client toggle this to non zero to get exttext +- */ ++ /* Added by tchize ++ * prepare to use the extended text commands ++ * Client toggle this to non zero to get exttext ++ */ + char tmpbuf[20]; +- ns->has_readable_type = (atoi(param)); ++ ++ ns->has_readable_type = (atoi(param)); + sprintf(tmpbuf,"%d", ns->has_readable_type); +- strcat(cmdback, tmpbuf); ++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF); + } else { + /* Didn't get a setup command we understood - + * report a failure to the client. + */ +- strcat(cmdback, "FALSE"); ++ safe_strcat(cmdback, "FALSE", &slen, HUGE_BUF); + } + } /* for processing all the setup commands */ + LOG(llevInfo,"SendBack SetupCmd:: %s\n", cmdback); +@@ -619,7 +620,7 @@ void VersionCmd(char *buf, int len,NewSo + } + cp = strchr(cp+1, ' '); + if (cp) { +- LOG(llevDebug,"CS: connection from client of type <%s>\n", cp); ++ LOG(llevDebug,"CS: connection from client of type <%s>, ip %s\n", cp, ns->host); + + /* This is first implementation - i skip all beta DX clients with it + * Add later stuff here for other clients +@@ -1925,12 +1926,12 @@ void send_skill_info(NewSocket *ns, char + int i; + + sl.buf = malloc(MAXSOCKBUF); +- strcpy(sl.buf,"replyinfo skill_info\n"); ++ strcpy((char*)sl.buf,"replyinfo skill_info\n"); + for (i=1; i< NUM_SKILLS; i++) { +- sprintf(sl.buf + strlen(sl.buf), "%d:%s\n", i + CS_STAT_SKILLINFO, ++ sprintf((char*)sl.buf + strlen((char*)sl.buf), "%d:%s\n", i + CS_STAT_SKILLINFO, + skill_names[i]); + } +- sl.len = strlen(sl.buf); ++ sl.len = strlen((char*)sl.buf); + if (sl.len > MAXSOCKBUF) { + LOG(llevError,"Buffer overflow in send_skill_info!\n"); + fatal(0); +@@ -1948,10 +1949,10 @@ void send_spell_paths (NewSocket *ns, ch + int i; + + sl.buf = malloc(MAXSOCKBUF); +- strcpy(sl.buf,"replyinfo spell_paths\n"); ++ strcpy((char*)sl.buf,"replyinfo spell_paths\n"); + for(i=0; i<NRSPELLPATHS; i++) +- sprintf(sl.buf + strlen(sl.buf), "%d:%s\n", 1<<i, spellpathnames[i]); +- sl.len = strlen(sl.buf); ++ sprintf((char*)sl.buf + strlen((char*)sl.buf), "%d:%s\n", 1<<i, spellpathnames[i]); ++ sl.len = strlen((char*)sl.buf); + if (sl.len > MAXSOCKBUF) { + LOG(llevError,"Buffer overflow in send_spell_paths!\n"); + fatal(0); +@@ -1986,7 +1987,7 @@ void esrv_update_spells(player *pl) { + } + if (flags !=0) { + sl.buf = malloc(MAXSOCKBUF); +- strcpy(sl.buf,"updspell "); ++ strcpy((char*)sl.buf,"updspell "); + sl.len=strlen((char*)sl.buf); + SockList_AddChar(&sl, flags); + SockList_AddInt(&sl, spell->count); +@@ -2010,7 +2011,7 @@ void esrv_remove_spell(player *pl, objec + return; + } + sl.buf = malloc(MAXSOCKBUF); +- strcpy(sl.buf,"delspell "); ++ strcpy((char*)sl.buf,"delspell "); + sl.len=strlen((char*)sl.buf); + SockList_AddInt(&sl, spell->count); + Send_With_Handling(&pl->socket, &sl); +@@ -2078,7 +2079,7 @@ void esrv_add_spells(player *pl, object + } + if (!pl->socket.monitor_spells) return; + sl.buf = malloc(MAXSOCKBUF); +- strcpy(sl.buf,"addspell "); ++ strcpy((char*)sl.buf,"addspell "); + sl.len=strlen((char*)sl.buf); + if (!spell) { + for (spell=pl->ob->inv; spell!=NULL; spell=spell->below) { +@@ -2099,7 +2100,7 @@ void esrv_add_spells(player *pl, object + if (sl.len > (MAXSOCKBUF - (26 + strlen(spell->name) + + (spell->msg?strlen(spell->msg):0)))) { + Send_With_Handling(&pl->socket, &sl); +- strcpy(sl.buf,"addspell "); ++ strcpy((char*)sl.buf,"addspell "); + sl.len=strlen((char*)sl.buf); + } + append_spell(pl, &sl, spell); |