diff options
| author |   dholland <dholland@NetBSD.org> | 2009-06-29 23:05:33 +0000 |
|---|---|---|
| committer | dholland <dholland@NetBSD.org> | 2009-06-29 23:05:33 +0000 |
| commit | d00a8d1e94456d45abbb7c94cd846661735277ab (patch) | |
| tree | 5329ba2218576dbc5e41ed33677391627f69a23a /hack | |
| parent | fe1c4f849dd6242072352483d84870c6fcc974a7 (diff) | |
| download | bsdgames-darwin-d00a8d1e94456d45abbb7c94cd846661735277ab.tar.gz bsdgames-darwin-d00a8d1e94456d45abbb7c94cd846661735277ab.tar.zst bsdgames-darwin-d00a8d1e94456d45abbb7c94cd846661735277ab.zip | |
Fix two serious string-handling bugs (one exploitable, one probably
exploitable) and also add proper checking/paranoia in several other
places.
Diffstat (limited to 'hack')
| -rw-r--r-- | hack/hack.do_name.c | 6 | ||||
| -rw-r--r-- | hack/hack.h | 4 | ||||
| -rw-r--r-- | hack/hack.invent.c | 17 | ||||
| -rw-r--r-- | hack/hack.main.c | 17 | ||||
| -rw-r--r-- | hack/hack.rip.c | 6 | ||||
| -rw-r--r-- | hack/hack.topl.c | 20 | ||||
| -rw-r--r-- | hack/hack.unix.c | 12 |
7 files changed, 49 insertions, 33 deletions
diff --git a/hack/hack.do_name.c b/hack/hack.do_name.c index 21ee4275..303330fd 100644 --- a/hack/hack.do_name.c +++ b/hack/hack.do_name.c @@ -1,4 +1,4 @@ -/* $NetBSD: hack.do_name.c,v 1.9 2009/06/07 20:13:18 dholland Exp $ */ +/* $NetBSD: hack.do_name.c,v 1.10 2009/06/29 23:05:33 dholland Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,7 +63,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.do_name.c,v 1.9 2009/06/07 20:13:18 dholland Exp $"); +__RCSID("$NetBSD: hack.do_name.c,v 1.10 2009/06/29 23:05:33 dholland Exp $"); #endif /* not lint */ #include <stdlib.h> @@ -279,7 +279,7 @@ xmonnam(struct monst *mtmp, int vb) gn = ghostnames[rn2(SIZE(ghostnames))]; if (!rn2(2)) (void) - strcpy((char *) mtmp->mextra, !rn2(5) ? plname : gn); + strlcpy((char *) mtmp->mextra, !rn2(5) ? plname : gn, mtmp->mxlth); } (void) snprintf(buf, sizeof(buf), "%s's ghost", gn); } diff --git a/hack/hack.h b/hack/hack.h index 825daa72..21a94c0c 100644 --- a/hack/hack.h +++ b/hack/hack.h @@ -1,4 +1,4 @@ -/* $NetBSD: hack.h,v 1.12 2009/06/07 21:04:54 dholland Exp $ */ +/* $NetBSD: hack.h,v 1.13 2009/06/29 23:05:33 dholland Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -202,7 +202,7 @@ extern const char *const traps[]; extern char SAVEF[]; extern char fut_geno[60]; /* idem */ extern char genocided[60]; /* defined in Decl.c */ -extern char lock[]; +extern char lock[PL_NSIZ + 4]; extern const char mlarge[]; extern char morc; extern const char nul[]; diff --git a/hack/hack.invent.c b/hack/hack.invent.c index 8b1e7cc8..3d7d8377 100644 --- a/hack/hack.invent.c +++ b/hack/hack.invent.c @@ -1,4 +1,4 @@ -/* $NetBSD: hack.invent.c,v 1.12 2009/06/07 20:13:18 dholland Exp $ */ +/* $NetBSD: hack.invent.c,v 1.13 2009/06/29 23:05:33 dholland Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,9 +63,10 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.invent.c,v 1.12 2009/06/07 20:13:18 dholland Exp $"); +__RCSID("$NetBSD: hack.invent.c,v 1.13 2009/06/29 23:05:33 dholland Exp $"); #endif /* not lint */ +#include <assert.h> #include <stdlib.h> #include "hack.h" #include "extern.h" @@ -555,7 +556,7 @@ ggetobj(const char *word, int (*fn)(struct obj *), int max) char buf[BUFSZ]; char *ip; char sym; - int oletct = 0, iletct = 0; + unsigned oletct = 0, iletct = 0; boolean allflag = FALSE; char olets[20], ilets[20]; int (*ckfn)(struct obj *) = @@ -586,6 +587,7 @@ ggetobj(const char *word, int (*fn)(struct obj *), int max) if (invent) ilets[iletct++] = 'a'; ilets[iletct] = 0; + assert(iletct < sizeof(ilets)); } pline("What kinds of thing do you want to %s? [%s] ", word, ilets); @@ -614,6 +616,7 @@ ggetobj(const char *word, int (*fn)(struct obj *), int max) olets[oletct++] = sym; olets[oletct] = 0; } + assert(oletct < sizeof(olets)); } else pline("You don't have any %c's.", sym); } @@ -723,7 +726,7 @@ doinv(char *lets) { struct obj *otmp; char ilet; - int ct = 0; + unsigned ct = 0; char any[BUFSZ]; morc = 0; /* just to be sure */ @@ -746,6 +749,7 @@ doinv(char *lets) ilet = 'A'; } any[ct] = 0; + assert(ct < sizeof(any)); cornline(2, any); } @@ -755,7 +759,7 @@ dotypeinv(void) /* Changed to one type only, so he doesnt have to type cr */ char c, ilet; char stuff[BUFSZ]; - int stct; + unsigned stct; struct obj *otmp; boolean billx = inshop() && doinvbill(0); boolean unpd = FALSE; @@ -781,6 +785,7 @@ dotypeinv(void) if (billx) stuff[stct++] = 'x'; stuff[stct] = 0; + assert(stct < sizeof(stuff)); if (stct > 1) { pline("What type of object [%s] do you want an inventory of? ", @@ -817,6 +822,8 @@ dotypeinv(void) ilet = 'A'; } stuff[stct] = '\0'; + assert(stct < sizeof(stuff)); + if (stct == 0) pline("You have no such objects."); else diff --git a/hack/hack.main.c b/hack/hack.main.c index 28eec738..05bd88f9 100644 --- a/hack/hack.main.c +++ b/hack/hack.main.c @@ -1,4 +1,4 @@ -/* $NetBSD: hack.main.c,v 1.12 2009/06/07 20:13:18 dholland Exp $ */ +/* $NetBSD: hack.main.c,v 1.13 2009/06/29 23:05:33 dholland Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,7 +63,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.main.c,v 1.12 2009/06/07 20:13:18 dholland Exp $"); +__RCSID("$NetBSD: hack.main.c,v 1.13 2009/06/29 23:05:33 dholland Exp $"); #endif /* not lint */ #include <signal.h> @@ -300,7 +300,8 @@ main(int argc, char *argv[]) } *gp = 0; } else - (void) strcpy(genocided, sfoo); + (void) strlcpy(genocided, sfoo, + sizeof(genocided)); (void) strcpy(fut_geno, genocided); } } @@ -478,12 +479,12 @@ void glo(int foo) { /* construct the string xlock.n */ - char *tf; + size_t pos; - tf = lock; - while (*tf && *tf != '.') - tf++; - (void) sprintf(tf, ".%d", foo); + pos = 0; + while (lock[pos] && lock[pos] != '.') + pos++; + (void) snprintf(lock + pos, sizeof(lock) - pos, ".%d", foo); } /* diff --git a/hack/hack.rip.c b/hack/hack.rip.c index a27735ee..a0b11671 100644 --- a/hack/hack.rip.c +++ b/hack/hack.rip.c @@ -1,4 +1,4 @@ -/* $NetBSD: hack.rip.c,v 1.10 2009/06/07 20:13:18 dholland Exp $ */ +/* $NetBSD: hack.rip.c,v 1.11 2009/06/29 23:05:33 dholland Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,7 +63,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.rip.c,v 1.10 2009/06/07 20:13:18 dholland Exp $"); +__RCSID("$NetBSD: hack.rip.c,v 1.11 2009/06/29 23:05:33 dholland Exp $"); #endif /* not lint */ #include "hack.h" @@ -101,7 +101,7 @@ outrip(void) !strcmp(killer, "starvation") ? "" : strchr(vowels, *killer) ? " an" : " a"); center(8, buf); - (void) strcpy(buf, killer); + (void) strlcpy(buf, killer, sizeof(buf)); { int i1; if ((i1 = strlen(buf)) > 16) { diff --git a/hack/hack.topl.c b/hack/hack.topl.c index 80962902..138a1db2 100644 --- a/hack/hack.topl.c +++ b/hack/hack.topl.c @@ -1,4 +1,4 @@ -/* $NetBSD: hack.topl.c,v 1.10 2009/06/07 20:13:18 dholland Exp $ */ +/* $NetBSD: hack.topl.c,v 1.11 2009/06/29 23:05:33 dholland Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,7 +63,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.topl.c,v 1.10 2009/06/07 20:13:18 dholland Exp $"); +__RCSID("$NetBSD: hack.topl.c,v 1.11 2009/06/29 23:05:33 dholland Exp $"); #endif /* not lint */ #include <stdlib.h> @@ -212,7 +212,7 @@ vpline(const char *line, va_list ap) { char pbuf[BUFSZ]; char *bp = pbuf, *tl; - int n, n0; + int n, n0, tlpos, dead; if (!line || !*line) return; @@ -240,8 +240,9 @@ vpline(const char *line, va_list ap) if (flags.toplin == 1) more(); remember_topl(); + dead = 0; toplines[0] = 0; - while (n0) { + while (n0 && !dead) { if (n0 >= CO) { /* look for appropriate cut point */ n0 = 0; @@ -255,7 +256,14 @@ vpline(const char *line, va_list ap) if (!n0) n0 = CO - 2; } - (void) strncpy((tl = eos(toplines)), bp, n0); + tlpos = strlen(toplines); + tl = toplines + tlpos; + /* avoid overflow */ + if (tlpos + n0 > (int)sizeof(toplines) - 1) { + n0 = sizeof(toplines) - 1 - tlpos; + dead = 1; + } + (void) memcpy(tl, bp, n0); tl[n0] = 0; bp += n0; @@ -265,7 +273,7 @@ vpline(const char *line, va_list ap) n0 = strlen(bp); if (n0 && tl[0]) - (void) strcat(tl, "\n"); + (void) strlcat(toplines, "\n", sizeof(toplines)); } redotoplin(); } diff --git a/hack/hack.unix.c b/hack/hack.unix.c index 11cd9392..708e9f79 100644 --- a/hack/hack.unix.c +++ b/hack/hack.unix.c @@ -1,4 +1,4 @@ -/* $NetBSD: hack.unix.c,v 1.12 2009/06/07 20:13:18 dholland Exp $ */ +/* $NetBSD: hack.unix.c,v 1.13 2009/06/29 23:05:33 dholland Exp $ */ /* * Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica, @@ -63,7 +63,7 @@ #include <sys/cdefs.h> #ifndef lint -__RCSID("$NetBSD: hack.unix.c,v 1.12 2009/06/07 20:13:18 dholland Exp $"); +__RCSID("$NetBSD: hack.unix.c,v 1.13 2009/06/29 23:05:33 dholland Exp $"); #endif /* not lint */ /* This file collects some Unix dependencies; hack.pager.c contains some more */ @@ -192,11 +192,11 @@ gethdate(char *name) if ((np = strchr(path, ':')) == NULL) np = path + strlen(path); /* point to end str */ if (np - path <= 1) /* %% */ - (void) strcpy(filename, name); + (void) strlcpy(filename, name, sizeof(filename)); else { - (void) strncpy(filename, path, np - path); - filename[np - path] = '/'; - (void) strcpy(filename + (np - path) + 1, name); + (void) snprintf(filename, sizeof(filename), + "%.*s/%s", + (int)(np - path), path, name); } if (stat(filename, &hbuf) == 0) return; |