[Secure-testing-team] Bug#549310: overkill: long player names can corrupt data on the server machine
Jonathan Neuschäfer
j.neuschaefer at gmx.net
Fri Oct 2 11:33:17 UTC 2009
Package: overkill
Version: 0.16-14
Severity: grave
Tags: patch security
Justification: user security hole
Players with names longer than 24 characters have been able to corrupt data on the machine where the server is run. This is made possible by not always checking wether the name of a connecting player is too long. I have made a patch to fix this.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages overkill depends on:
ii libc6 2.9-27 GNU C Library: Shared libraries
ii libx11-6 2:1.2.2-1 X11 client-side library
ii libxpm4 1:3.5.7-2 X11 pixmap library
overkill recommends no packages.
overkill suggests no packages.
-- no debconf information
-------------- next part --------------
534a535
> int name_too_long;
538a540
> name_too_long=strlen(name)>MAX_NAME_LEN? 1:0;
543c545,546
< cp->member.name=mem_alloc(strlen(name)+1);
---
> cp->member.name=mem_alloc((name_too_long?MAX_NAME_LEN:strlen(name))+1);
> if (name_too_long) *(cp->member.name+MAX_NAME_LEN)='\0';
560c563
< memcpy(cp->member.name,name,strlen(name)+1);
---
> memcpy(cp->member.name,name,(name_too_long?MAX_NAME_LEN:strlen(name)));
More information about the Secure-testing-team
mailing list