Attempt to fix CVE-2007-4642 - undelimited strcpy in PKT_CHAT - know …

…known exploits of this. Fix works by utilising a smarter string copy that is bounds checked to ensure all strings are null terminated - even if it means discarding input
skyjake · Sep 16, 2007 · 28880f0 · 28880f0
1 parent 9554766
commit 28880f0
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/doomsday/plugins/common/include/d_net.h b/doomsday/plugins/common/include/d_net.h
@@ -27,7 +27,7 @@
 
 #include "dd_share.h"
 
-#define NETBUFFER_MAXMESSAGE 256
+#define NETBUFFER_MAXMESSAGE 255
 
 #ifdef __JHEXEN__
 #define PLR_COLOR(pl, x)    (((unsigned)(x)) > 7? (pl) % 8 : (x))

diff --git a/doomsday/plugins/common/src/d_net.c b/doomsday/plugins/common/src/d_net.c
@@ -79,7 +79,7 @@ extern int netSvAllowSendMsg;
 
 // PUBLIC DATA DEFINITIONS -------------------------------------------------
 
-char    msgBuff[NETBUFFER_MAXMESSAGE];
+char    msgBuff[NETBUFFER_MAXMESSAGE + 1];
 float   netJumpPower = 9;
 
 // Net code related console commands
@@ -464,15 +464,15 @@ void D_HandlePacket(int fromplayer, int type, void *data, int length)
         break;
 
     case GPT_MESSAGE:
-        strcpy(msgBuff, data);
+        snprintf(msgBuff,  NETBUFFER_MAXMESSAGE, "%s", data);
         P_SetMessage(&players[consoleplayer], msgBuff, false);
 
         break;
 
 #ifndef __JDOOM__
 #ifndef __JHERETIC__
     case GPT_YELLOW_MESSAGE:
-        strcpy(msgBuff, data);
+        snprintf(msgBuff,  NETBUFFER_MAXMESSAGE, "%s", data);
         P_SetYellowMessage(&players[consoleplayer], msgBuff, false);
         break;
 #endif
@@ -566,7 +566,7 @@ void D_ChatSound(void)
  */
 static void D_NetMessageEx(char *msg, boolean playSound)
 {
-    strcpy(msgBuff, msg);
+    snprintf(msgBuff,  NETBUFFER_MAXMESSAGE, "%s", msg);
     // This is intended to be a local message.
     // Let's make sure P_SetMessage doesn't forward it anywhere.
     netSvAllowSendMsg = false;