Skip to content

Commit f4a840a

Browse files
PatRnhmall
authored andcommitted
fix potential buffer overflow loading config file
1 parent 58241fd commit f4a840a

File tree

2 files changed

+28
-28
lines changed

2 files changed

+28
-28
lines changed

doc/fixes36.4

Lines changed: 5 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
$NHDT-Branch: NetHack-3.6 $:$NHDT-Revision: 1.4 $ $NHDT-Date: 1576287569 2019/12/14 01:39:29 $
22

3-
This fixes36.4 file is here to capture information about updates in the 3.6.x
4-
lineage following the release of 3.6.3 in December 2019. Hypothetical version
5-
3.6.4 may not be released, in which case these fixes will appear in 3.7.0.
3+
fixes36.4 contains a terse summary of changes made to 3.6.3 in order to
4+
produce 3.6.4.
5+
66

77
General Fixes and Modified Features
88
-----------------------------------
@@ -15,11 +15,7 @@ message "your knapsack can't accomodate any more items" when picking stuff up
1515
or removing such from container was inaccurate if there was some gold
1616
pending; vary the message rather than add more convoluted pickup code
1717
dozen-ish assorted spelling/typo fixes in messages and source comments
18-
flying hero could not use a hole deliberately with '>'
19-
20-
21-
Fixes to Post-3.6.3 Problems that Were Exposed Via git Repository
22-
------------------------------------------------------------------
18+
fix potential buffer overflow when parsing run-time configuration file
2319

2420

2521
Platform- and/or Interface-Specific Fixes or Features
@@ -30,13 +26,6 @@ allow run-from-removable-device on Windows
3026

3127
General New Features
3228
--------------------
33-
34-
35-
NetHack Community Patches (or Variation) Included
36-
-------------------------------------------------
37-
38-
39-
Code Cleanup and Reorganization
40-
-------------------------------
29+
none
4130

4231

src/files.c

Lines changed: 23 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -2309,10 +2309,14 @@ char *origbuf;
23092309
int len;
23102310
boolean retval = TRUE;
23112311

2312+
while (*origbuf == ' ' || *origbuf == '\t') /* skip leading whitespace */
2313+
++origbuf; /* (caller probably already did this) */
2314+
(void) strncpy(buf, origbuf, sizeof buf - 1);
2315+
buf[sizeof buf - 1] = '\0'; /* strncpy not guaranteed to NUL terminate */
23122316
/* convert any tab to space, condense consecutive spaces into one,
23132317
remove leading and trailing spaces (exception: if there is nothing
23142318
but spaces, one of them will be kept even though it leads/trails) */
2315-
mungspaces(strcpy(buf, origbuf));
2319+
mungspaces(buf);
23162320

23172321
/* find the '=' or ':' */
23182322
bufp = find_optparam(buf);
@@ -3034,7 +3038,11 @@ boolean
30343038
proc_wizkit_line(buf)
30353039
char *buf;
30363040
{
3037-
struct obj *otmp = readobjnam(buf, (struct obj *) 0);
3041+
struct obj *otmp;
3042+
3043+
if (strlen(buf) >= BUFSZ)
3044+
buf[BUFSZ - 1] = '\0';
3045+
otmp = readobjnam(buf, (struct obj *) 0);
30383046

30393047
if (otmp) {
30403048
if (otmp != &zeroobj)
@@ -3142,22 +3150,23 @@ boolean FDECL((*proc), (char *));
31423150

31433151
/* merge now read line with previous ones, if necessary */
31443152
if (!ignoreline) {
3145-
len = (int) strlen(inbuf) + 1;
3153+
len = (int) strlen(ep) + 1; /* +1: final '\0' */
31463154
if (buf)
3147-
len += (int) strlen(buf);
3155+
len += (int) strlen(buf) + 1; /* +1: space */
31483156
tmpbuf = (char *) alloc(len);
3157+
*tmpbuf = '\0';
31493158
if (buf) {
3150-
Sprintf(tmpbuf, "%s %s", buf, inbuf);
3159+
Strcat(strcpy(tmpbuf, buf), " ");
31513160
free(buf);
3152-
} else
3153-
Strcpy(tmpbuf, inbuf);
3154-
buf = tmpbuf;
3161+
}
3162+
buf = strcat(tmpbuf, ep);
3163+
buf[sizeof inbuf - 1] = '\0';
31553164
}
31563165

31573166
if (morelines || (ignoreline && !oldline))
31583167
continue;
31593168

3160-
if (handle_config_section(ep)) {
3169+
if (handle_config_section(buf)) {
31613170
free(buf);
31623171
buf = (char *) 0;
31633172
continue;
@@ -3179,11 +3188,11 @@ boolean FDECL((*proc), (char *));
31793188
}
31803189
bufp++;
31813190
if (config_section_chosen)
3182-
free(config_section_chosen);
3191+
free(config_section_chosen), config_section_chosen = 0;
31833192
section = choose_random_part(bufp, ',');
3184-
if (section)
3193+
if (section) {
31853194
config_section_chosen = dupstr(section);
3186-
else {
3195+
} else {
31873196
config_error_add("No config section to choose");
31883197
rv = FALSE;
31893198
}
@@ -3300,6 +3309,8 @@ int which_set;
33003309
struct symparse *symp;
33013310
char *bufp, *commentp, *altp;
33023311

3312+
if (strlen(buf) >= BUFSZ)
3313+
buf[BUFSZ - 1] = '\0';
33033314
/* convert each instance of whitespace (tabs, consecutive spaces)
33043315
into a single space; leading and trailing spaces are stripped */
33053316
mungspaces(buf);

0 commit comments

Comments
 (0)