mirror of
https://git.freebsd.org/ports.git
synced 2025-06-06 13:20:32 -04:00
a22f7c00b7
- Backport modified security patch from `games/quake2lnx' port - Fix several -Werror=return-type bugs, the most important being the one in R_Init() function which prevented correct graphics initialization, causing the game to segfault during start-up - For strlwr() function, just change it to `void' as its return value is never used anyway - While here, add some places of interest to the WWW line Reported by: Sergey V. Dyatko
157 lines
4.5 KiB
Text
157 lines
4.5 KiB
Text
--- client/cl_parse.c.orig 2002-10-10 09:40:17 UTC
|
|
+++ client/cl_parse.c
|
|
@@ -474,6 +474,9 @@ void CL_LoadClientinfo (clientinfo_t *ci, char *s)
|
|
strncpy(ci->cinfo, s, sizeof(ci->cinfo));
|
|
ci->cinfo[sizeof(ci->cinfo)-1] = 0;
|
|
|
|
+ // sku - avoid potential buffer overflow vulnerability
|
|
+ s = ci->cinfo;
|
|
+
|
|
// isolate the player's name
|
|
strncpy(ci->name, s, sizeof(ci->name));
|
|
ci->name[sizeof(ci->name)-1] = 0;
|
|
@@ -602,6 +605,7 @@ void CL_ParseConfigString (void)
|
|
int i;
|
|
char *s;
|
|
char olds[MAX_QPATH];
|
|
+ int length;
|
|
|
|
i = MSG_ReadShort (&net_message);
|
|
if (i < 0 || i >= MAX_CONFIGSTRINGS)
|
|
@@ -610,6 +614,12 @@ void CL_ParseConfigString (void)
|
|
|
|
strncpy (olds, cl.configstrings[i], sizeof(olds));
|
|
olds[sizeof(olds) - 1] = 0;
|
|
+
|
|
+ // sku - avoid potential buffer overflow vulnerability
|
|
+ length = strlen (s);
|
|
+ if (length > sizeof cl.configstrings - sizeof cl.configstrings[0] * i - 1) {
|
|
+ Com_Error (ERR_DROP, "CL_ParseConfigString: oversize configstring");
|
|
+ }
|
|
|
|
strcpy (cl.configstrings[i], s);
|
|
|
|
--- qcommon/cmd.c.orig 2002-12-12 08:44:37 UTC
|
|
+++ qcommon/cmd.c
|
|
@@ -217,6 +217,10 @@ void Cbuf_Execute (void)
|
|
}
|
|
|
|
|
|
+ // sku - remove potential buffer overflow vulnerability
|
|
+ if (i > sizeof line - 1) {
|
|
+ i = sizeof line - 1;
|
|
+ }
|
|
memcpy (line, text, i);
|
|
line[i] = 0;
|
|
|
|
@@ -679,7 +683,8 @@ void Cmd_TokenizeString (char *text, qboolean macroExp
|
|
{
|
|
int l;
|
|
|
|
- strcpy (cmd_args, text);
|
|
+ // sku - remove potential buffer overflow vulnerability
|
|
+ strncpy (cmd_args, text, sizeof cmd_args);
|
|
|
|
// strip off any trailing whitespace
|
|
l = strlen(cmd_args) - 1;
|
|
--- qcommon/common.c.orig 2002-12-13 11:33:44 UTC
|
|
+++ qcommon/common.c
|
|
@@ -776,7 +776,9 @@ char *MSG_ReadString (sizebuf_t *msg_read)
|
|
l = 0;
|
|
do
|
|
{
|
|
- c = MSG_ReadChar (msg_read);
|
|
+ // sku - replaced MSG_ReadChar with MSG_ReadByte to avoid
|
|
+ // potential vulnerability
|
|
+ c = MSG_ReadByte (msg_read);
|
|
if (c == -1 || c == 0)
|
|
break;
|
|
string[l] = c;
|
|
@@ -796,7 +798,9 @@ char *MSG_ReadStringLine (sizebuf_t *msg_read)
|
|
l = 0;
|
|
do
|
|
{
|
|
- c = MSG_ReadChar (msg_read);
|
|
+ // sku - replaced MSG_ReadChar with MSG_ReadByte to avoid
|
|
+ // potential vulnerability
|
|
+ c = MSG_ReadByte (msg_read);
|
|
if (c == -1 || c == 0 || c == '\n')
|
|
break;
|
|
string[l] = c;
|
|
--- server/sv_main.c.orig 2003-05-07 07:19:06 UTC
|
|
+++ server/sv_main.c
|
|
@@ -314,8 +314,9 @@ void SVC_DirectConnect (void)
|
|
|
|
challenge = atoi(Cmd_Argv(3));
|
|
|
|
- strncpy (userinfo, Cmd_Argv(4), sizeof(userinfo)-1);
|
|
- userinfo[sizeof(userinfo) - 1] = 0;
|
|
+ // sku - reserve 32 bytes for the IP address
|
|
+ strncpy (userinfo, Cmd_Argv(4), sizeof userinfo - 32);
|
|
+ userinfo[sizeof userinfo - 32] = 0;
|
|
|
|
// force the IP key/value pair so the game can filter based on ip
|
|
Info_SetValueForKey (userinfo, "ip", NET_AdrToString(net_from));
|
|
@@ -363,6 +364,11 @@ void SVC_DirectConnect (void)
|
|
&& ( cl->netchan.qport == qport
|
|
|| adr.port == cl->netchan.remote_address.port ) )
|
|
{
|
|
+ // sku - avoid reusing slot of the client already connected
|
|
+ if (cl->state != cs_zombie) {
|
|
+ Netchan_OutOfBandPrint (NS_SERVER, adr, "print\nConnected client from this IP is already present.\n");
|
|
+ return;
|
|
+ }
|
|
if (!NET_IsLocalAddress (adr) && (svs.realtime - cl->lastconnect) < ((int)sv_reconnect_limit->value * 1000))
|
|
{
|
|
Com_DPrintf ("%s:reconnect rejected : too soon\n", NET_AdrToString (adr));
|
|
--- server/sv_user.c.orig 2002-04-13 09:00:30 UTC
|
|
+++ server/sv_user.c
|
|
@@ -142,6 +142,9 @@ void SV_Configstrings_f (void)
|
|
}
|
|
|
|
start = atoi(Cmd_Argv(2));
|
|
+ if (start < 0) {
|
|
+ start = 0; // sku - catch negative offsets
|
|
+ }
|
|
|
|
// write a packet full of data
|
|
|
|
@@ -150,9 +153,18 @@ void SV_Configstrings_f (void)
|
|
{
|
|
if (sv.configstrings[start][0])
|
|
{
|
|
+ int length;
|
|
+
|
|
+ // sku - write configstrings that exceed MAX_QPATH in proper-sized chunks
|
|
+ length = strlen (sv.configstrings[start]);
|
|
+ if (length > MAX_QPATH) {
|
|
+ length = MAX_QPATH;
|
|
+ }
|
|
+
|
|
MSG_WriteByte (&sv_client->netchan.message, svc_configstring);
|
|
MSG_WriteShort (&sv_client->netchan.message, start);
|
|
- MSG_WriteString (&sv_client->netchan.message, sv.configstrings[start]);
|
|
+ SZ_Write (&sv_client->netchan.message, sv.configstrings[start], length);
|
|
+ MSG_WriteByte (&sv_client->netchan.message, 0);
|
|
}
|
|
start++;
|
|
}
|
|
@@ -199,6 +211,9 @@ void SV_Baselines_f (void)
|
|
}
|
|
|
|
start = atoi(Cmd_Argv(2));
|
|
+ if (start < 0) {
|
|
+ start = 0;
|
|
+ }
|
|
|
|
memset (&nullstate, 0, sizeof(nullstate));
|
|
|
|
@@ -398,7 +413,7 @@ Dumps the serverinfo info string
|
|
*/
|
|
void SV_ShowServerinfo_f (void)
|
|
{
|
|
- Info_Print (Cvar_Serverinfo());
|
|
+// Info_Print (Cvar_Serverinfo());
|
|
}
|
|
|
|
|