Re: Tetrix 1.13.16 is Vulnerable

[pavel () BUG UCW CZ (Pavel Machek)]

Hi!

>    I have recently found a buffer overflow in a TetriNet daemon for Linux
> called "Tetrix". To exploit this bug, you will need a hostname longer than
> 122 characters, and any method of connecting to the host on port 31457.
> Once you are connected, the overflow should take place.
>
> here is the patch!

...which does not work.

> diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c
> --- tetrinetx-1.13.16.orig/src/net.c  Thu Dec 24 00:24:50 1998
> +++ tetrinetx-1.13.16/src/net.c       Sun Feb 14 16:22:11 1999
> @@ -250,15 +250,17 @@
>  unsigned long ip;
>  {
>    struct hostent *hp; unsigned long addr=ip;
> -  unsigned char *p; static char s[121];
> -/*  alarm(10);*/
> +  unsigned char *p; static char s[UHOSTLEN];
> +
>    hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/
>    if (hp==NULL) {
>      p=(unsigned char *)&addr;
>      sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);
>      return s;
>    }
> -  strcpy(s,hp->h_name); return s;
> +  strncpy(s,hp->h_name,(UHOSTLEN-1));
> +  s[strlen(s)]='\0';
> +  return s;

If s is not null-terminated after strncpy...

       The  strncpy()  function  is similar, except that not more
       than n bytes of src are copied. Thus, if there is no  null
       byte among the first n bytes of src, the result wil not be
       null-terminated.

...then s[strlen(s)]='\0'; will not help it - because strlen() looks
for \0 :-).

s[UHOSTLEN-1]='\0'; would be correct.

                                                                Pavel

--
I'm really pavel () atrey karlin mff cuni cz.      Pavel
Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).