Re: #!ICadv-02.09.03: nethack 3.4.0 local buffer overflow

[Peter Pentchev <roam () ringlet net>]

On Sat, Feb 08, 2003 at 11:18:49PM -0800, tsao_4sh0 () hushmail com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> ###################################################
>
> /usr/games/lib/nethackdir/nethack - LOCALLY EXPLOITABLE BUFFER
>
> try th1s: nethack -s `perl -e "print 'A' x 1000"`

Here is a bandaid that I just committed to the FreeBSD Ports Collection
and also submitted to the NetHack developers.  I say 'bandaid', because
there might be a lot of other strcat() weirdnesses in the NetHack source
:(

The patch is also available at
http://people.FreeBSD.org/~roam/devel/nethack/topten.c.patch

G'luck,
Peter

-- 
Peter Pentchev  roam () ringlet net     roam () FreeBSD org
PGP key:        http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I've heard that this sentence is a rumor.

--- src/topten.c        Thu Mar 21 01:43:19 2002
+++ src/topten.c        Tue Feb 11 15:36:23 2003
@@ -855,8 +855,15 @@
            if (playerct < 1) Strcat(pbuf, "you.");
            else {
                if (playerct > 1) Strcat(pbuf, "any of ");
-               for (i = 0; i < playerct; i++) {
-                   Strcat(pbuf, players[i]);
+               for (i = 0; i < playerct && strlen(pbuf) < sizeof(pbuf) - 2;
+                   i++) {
+                   size_t len = strlen(pbuf), rest;
+                   if (strlen(players[i]) > sizeof(pbuf) - len - 2) {
+                       rest = sizeof(pbuf) - strlen(pbuf) - 2;
+                       memcpy(pbuf + len, players[i], rest);
+                       pbuf[len + rest] = '\0';
+                   } else
+                       Strcat(pbuf, players[i]);
                    if (i < playerct-1) {
                        if (players[i][0] == '-' &&
                            index("pr", players[i][1]) && players[i][2] == 0)

Attachment: _bin
Description: