Security fix for CAN-2006-1236

PKGREVISON bumped

3 files changed, 221 insertions, 2 deletions

diff --git a/games/crossfire-server/Makefile b/games/crossfire-server/Makefile
index 639ba34e29e..5a254e3925f 100644
--- a/games/crossfire-server/Makefile
+++ b/games/crossfire-server/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.1.1.1 2006/05/11 05:59:36 adam Exp $
+# $NetBSD: Makefile,v 1.2 2006/06/11 11:36:47 adrianp Exp $
 
 DISTNAME=	crossfire-1.9.0
 PKGNAME=	crossfire-server-1.9.0
+PKGREVISION=	1
 CATEGORIES=	games x11
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=crossfire/}
 
diff --git a/games/crossfire-server/distinfo b/games/crossfire-server/distinfo
index 975e7223c39..af2f16ba2a3 100644
--- a/games/crossfire-server/distinfo
+++ b/games/crossfire-server/distinfo
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.1.1.1 2006/05/11 05:59:36 adam Exp $
+$NetBSD: distinfo,v 1.2 2006/06/11 11:36:47 adrianp Exp $
 
 SHA1 (crossfire-1.9.0.tar.gz) = 7f8ef84f4d465736fc854b4be4e32f39ed415eaf
 RMD160 (crossfire-1.9.0.tar.gz) = 6069e1d566a738c73756096240694d8f62ab8ce4
 Size (crossfire-1.9.0.tar.gz) = 5317109 bytes
 SHA1 (patch-aa) = 7102244e70498f89dc2f0a600415f06dcb93853f
+SHA1 (patch-ab) = b50c940ab25f3b2361afa6ae49be6edab498f43e
 SHA1 (patch-ae) = 4f9aee487d8cff1bb6295f3661d0194d045b328c
diff --git a/games/crossfire-server/patches/patch-ab b/games/crossfire-server/patches/patch-ab
new file mode 100644
index 00000000000..98e94086bd5
--- /dev/null
+++ b/games/crossfire-server/patches/patch-ab
@@ -0,0 +1,217 @@
+$NetBSD: patch-ab,v 1.1 2006/06/11 11:36:47 adrianp Exp $
+
+--- socket/request.c.orig	2006-02-25 08:02:11.000000000 +0000
++++ socket/request.c
+@@ -109,7 +109,7 @@ short atnr_cs_stat[NROFATTACKS] = {CS_ST
+ /** This is the Setup cmd - easy first implementation */
+ void SetUp(char *buf, int len, NewSocket *ns)
+ {
+-    int s;
++    int s, slen;
+     char *cmd, *param, cmdback[HUGE_BUF];
+ 
+     /* run through the cmds of setup
+@@ -139,40 +139,40 @@ void SetUp(char *buf, int len, NewSocket
+ 	buf[s++]=0;
+ 	while (buf[s] == ' ') s++;
+ 		
+-	strcat(cmdback, " ");
+-	strcat(cmdback, cmd);
+-	strcat(cmdback, " ");
+-
++	slen = strlen(cmdback);
++	safe_strcat(cmdback, " ", &slen, HUGE_BUF);
++	safe_strcat(cmdback, cmd, &slen, HUGE_BUF);
++	safe_strcat(cmdback, " ", &slen, HUGE_BUF);
+ 	
+ 	if (!strcmp(cmd,"sound")) {
+ 	    ns->sound = atoi(param);
+-	    strcat(cmdback, param);
++	    safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ 	}
+ 	else if (!strcmp(cmd,"exp64")) {
+ 	    ns->exp64 = atoi(param);
+-	    strcat(cmdback, param);
++	    safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ 	} else if (!strcmp(cmd, "spellmon")) {
+ 	    ns->monitor_spells = atoi(param);
+-	    strcat(cmdback, param);
++	    safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ 	}  else if (!strcmp(cmd,"darkness")) {
+ 	    ns->darkness = atoi(param);
+-	    strcat(cmdback, param);
++	    safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ 	} else if (!strcmp(cmd,"map1cmd")) {
+ 	    if (atoi(param)) ns->mapmode = Map1Cmd;
+ 	    /* if beyond this size, need to use map1cmd no matter what */
+ 	    if (ns->mapx>11 || ns->mapy>11) ns->mapmode = Map1Cmd;
+-	    strcat(cmdback, ns->mapmode == Map1Cmd?"1":"0");
++	    safe_strcat(cmdback, ns->mapmode == Map1Cmd?"1":"0", &slen, HUGE_BUF);
+ 	} else if (!strcmp(cmd,"map1acmd")) {
+ 	    if (atoi(param)) ns->mapmode = Map1aCmd;
+ 	    /* if beyond this size, need to use map1acmd no matter what */
+ 	    if (ns->mapx>11 || ns->mapy>11) ns->mapmode = Map1aCmd;
+-	    strcat(cmdback, ns->mapmode == Map1aCmd?"1":"0");
++	    safe_strcat(cmdback, ns->mapmode == Map1aCmd?"1":"0", &slen, HUGE_BUF);
+         } else if (!strcmp(cmd,"newmapcmd")) {
+             ns->newmapcmd= atoi(param);
+-            strcat(cmdback, param);
++	    safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ 	} else if (!strcmp(cmd,"facecache")) {
+ 	    ns->facecache = atoi(param);
+-            strcat(cmdback, param);
++	    safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ 	} else if (!strcmp(cmd,"faceset")) {
+ 	    char tmpbuf[20];
+ 	    int q = atoi(param);
+@@ -180,7 +180,7 @@ void SetUp(char *buf, int len, NewSocket
+ 	    if (is_valid_faceset(q))
+ 		ns->faceset=q;
+ 	    sprintf(tmpbuf,"%d", ns->faceset);
+-	    strcat(cmdback, tmpbuf);
++	    safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ 	    /* if the client is using faceset, it knows about image2 command */
+ 	    ns->image2=1;
+ 	} else if (!strcmp(cmd,"itemcmd")) {
+@@ -196,7 +196,7 @@ void SetUp(char *buf, int len, NewSocket
+ 		ns->itemcmd = q;
+ 		sprintf(tmpbuf,"%d", ns->itemcmd);
+ 	    }
+-	    strcat(cmdback, tmpbuf);
++	    safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+         } else if (!strcmp(cmd,"mapsize")) {
+ 	    int x, y=0;
+ 	    char tmpbuf[MAX_BUF], *cp;
+@@ -209,7 +209,7 @@ void SetUp(char *buf, int len, NewSocket
+ 		}
+ 	    if (x < 9 || y < 9 || x>MAP_CLIENT_X || y > MAP_CLIENT_Y) {
+ 		sprintf(tmpbuf," %dx%d", MAP_CLIENT_X, MAP_CLIENT_Y);
+-		strcat(cmdback, tmpbuf);
++		safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ 	    } else {
+ 		ns->mapx = x;
+ 		ns->mapy = y;
+@@ -217,34 +217,35 @@ void SetUp(char *buf, int len, NewSocket
+ 		 * param as given to us in case it gets parsed differently.
+ 		 */
+ 		sprintf(tmpbuf,"%dx%d", x,y);
+-		strcat(cmdback, tmpbuf);
++		safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ 		/* If beyond this size and still using orig map command, need to
+ 		 * go to map1cmd.
+ 		 */
+ 		if ((x>11 || y>11) && ns->mapmode == Map0Cmd) ns->mapmode = Map1Cmd;
+ 	    }
+ 	} else if (!strcmp(cmd,"extendedMapInfos")) {
+-        /* Added by tchize
+-         * prepare to use the mapextended command
+-         */
++	    /* Added by tchize
++	     * prepare to use the mapextended command
++	     */
+ 	    char tmpbuf[20];
+-        ns->ext_mapinfos = (atoi(param));
++	    ns->ext_mapinfos = (atoi(param));
+ 	    sprintf(tmpbuf,"%d", ns->ext_mapinfos);
+-	    strcat(cmdback, tmpbuf);
++	    safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ 	} else if (!strcmp(cmd,"extendedTextInfos")) {
+-        /* Added by tchize
+-         * prepare to use the extended text commands
+-         * Client toggle this to non zero to get exttext
+-         */
++	    /* Added by tchize
++	     * prepare to use the extended text commands
++	     * Client toggle this to non zero to get exttext
++	     */
+ 	    char tmpbuf[20];
+-        ns->has_readable_type = (atoi(param));
++
++	    ns->has_readable_type = (atoi(param));
+ 	    sprintf(tmpbuf,"%d", ns->has_readable_type);
+-	    strcat(cmdback, tmpbuf);
++	    safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ 	} else {
+ 	    /* Didn't get a setup command we understood -
+ 	     * report a failure to the client.
+ 	     */
+-	    strcat(cmdback, "FALSE");
++	    safe_strcat(cmdback, "FALSE", &slen, HUGE_BUF);
+ 	}
+     } /* for processing all the setup commands */
+     LOG(llevInfo,"SendBack SetupCmd:: %s\n", cmdback);
+@@ -619,7 +620,7 @@ void VersionCmd(char *buf, int len,NewSo
+     }
+     cp = strchr(cp+1, ' ');
+     if (cp) {
+-	LOG(llevDebug,"CS: connection from client of type <%s>\n", cp);
++	LOG(llevDebug,"CS: connection from client of type <%s>, ip %s\n", cp, ns->host);
+ 
+ 	/* This is first implementation - i skip all beta DX clients with it 
+ 	 * Add later stuff here for other clients 
+@@ -1925,12 +1926,12 @@ void send_skill_info(NewSocket *ns, char
+     int i;
+ 
+     sl.buf = malloc(MAXSOCKBUF);
+-    strcpy(sl.buf,"replyinfo skill_info\n");
++    strcpy((char*)sl.buf,"replyinfo skill_info\n");
+     for (i=1; i< NUM_SKILLS; i++) {
+-	sprintf(sl.buf + strlen(sl.buf), "%d:%s\n", i + CS_STAT_SKILLINFO,
++	sprintf((char*)sl.buf + strlen((char*)sl.buf), "%d:%s\n", i + CS_STAT_SKILLINFO,
+ 		skill_names[i]);
+     }
+-    sl.len = strlen(sl.buf);
++    sl.len = strlen((char*)sl.buf);
+     if (sl.len > MAXSOCKBUF) {
+ 	LOG(llevError,"Buffer overflow in send_skill_info!\n");
+ 	fatal(0);
+@@ -1948,10 +1949,10 @@ void send_spell_paths (NewSocket *ns, ch
+     int i;
+ 
+     sl.buf = malloc(MAXSOCKBUF);
+-    strcpy(sl.buf,"replyinfo spell_paths\n");
++    strcpy((char*)sl.buf,"replyinfo spell_paths\n");
+     for(i=0; i<NRSPELLPATHS; i++)
+-	sprintf(sl.buf + strlen(sl.buf), "%d:%s\n", 1<<i, spellpathnames[i]);
+-    sl.len = strlen(sl.buf);
++	sprintf((char*)sl.buf + strlen((char*)sl.buf), "%d:%s\n", 1<<i, spellpathnames[i]);
++    sl.len = strlen((char*)sl.buf);
+     if (sl.len > MAXSOCKBUF) {
+ 	LOG(llevError,"Buffer overflow in send_spell_paths!\n");
+ 	fatal(0);
+@@ -1986,7 +1987,7 @@ void esrv_update_spells(player *pl) {
+ 	    }
+ 	    if (flags !=0) {
+ 		sl.buf = malloc(MAXSOCKBUF);
+-		strcpy(sl.buf,"updspell ");
++		strcpy((char*)sl.buf,"updspell ");
+ 		sl.len=strlen((char*)sl.buf);
+ 		SockList_AddChar(&sl, flags);
+ 		SockList_AddInt(&sl, spell->count);
+@@ -2010,7 +2011,7 @@ void esrv_remove_spell(player *pl, objec
+ 	return;
+     }
+     sl.buf = malloc(MAXSOCKBUF);
+-    strcpy(sl.buf,"delspell ");
++    strcpy((char*)sl.buf,"delspell ");
+     sl.len=strlen((char*)sl.buf);
+     SockList_AddInt(&sl, spell->count);
+     Send_With_Handling(&pl->socket, &sl);
+@@ -2078,7 +2079,7 @@ void esrv_add_spells(player *pl, object 
+     }
+     if (!pl->socket.monitor_spells) return;
+     sl.buf = malloc(MAXSOCKBUF);
+-    strcpy(sl.buf,"addspell ");
++    strcpy((char*)sl.buf,"addspell ");
+     sl.len=strlen((char*)sl.buf);
+     if (!spell) {
+ 	for (spell=pl->ob->inv; spell!=NULL; spell=spell->below) {
+@@ -2099,7 +2100,7 @@ void esrv_add_spells(player *pl, object 
+ 	    if (sl.len > (MAXSOCKBUF - (26 + strlen(spell->name) + 
+ 				(spell->msg?strlen(spell->msg):0)))) {
+ 		Send_With_Handling(&pl->socket, &sl);
+-		strcpy(sl.buf,"addspell ");
++		strcpy((char*)sl.buf,"addspell ");
+ 		sl.len=strlen((char*)sl.buf);
+ 	    }
+ 	    append_spell(pl, &sl, spell);