From d975abc96c4eabd4a1053ee21f2b6951779a87c4 Mon Sep 17 00:00:00 2001 From: tron Date: Sun, 28 Aug 2005 12:24:57 +0000 Subject: (svn r2899) -Fix: Several format string vulnerabilities and buffer overflows in the network code --- console_cmds.c | 2 +- network.c | 4 ++-- network_client.c | 8 ++++---- network_server.c | 10 +++++----- texteff.c | 2 +- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/console_cmds.c b/console_cmds.c index 56e896d69..5eeb261ed 100644 --- a/console_cmds.c +++ b/console_cmds.c @@ -1132,7 +1132,7 @@ DEF_CONSOLE_HOOK(ConProcPlayerName) SEND_COMMAND(PACKET_CLIENT_SET_NAME)(_network_player_name); } else { if (NetworkFindName(_network_player_name)) { - NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, _network_player_name); + NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, "%s", _network_player_name); ttd_strlcpy(ci->client_name, _network_player_name, sizeof(ci->client_name)); NetworkUpdateClientInfo(NETWORK_SERVER_INDEX); } diff --git a/network.c b/network.c index a16d95b1c..6143c7925 100644 --- a/network.c +++ b/network.c @@ -100,7 +100,7 @@ void CDECL NetworkTextMessage(NetworkAction action, uint16 color, bool self_send char temp[1024]; va_start(va, str); - vsprintf(buf, str, va); + vsnprintf(buf, lengthof(buf), str, va); va_end(va); switch (action) { @@ -499,7 +499,7 @@ void NetworkCloseClient(NetworkClientState *cs) GetString(str, STR_NETWORK_ERR_CLIENT_GENERAL + errorno); - NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str); + NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str); // Inform other clients of this... strange leaving ;) FOR_ALL_CLIENTS(new_cs) { diff --git a/network_client.c b/network_client.c index b64e8358f..6da4b0618 100644 --- a/network_client.c +++ b/network_client.c @@ -349,7 +349,7 @@ DEF_CLIENT_RECEIVE_COMMAND(PACKET_SERVER_CLIENT_INFO) if (ci != NULL) { if (playas == ci->client_playas && strcmp(name, ci->client_name) != 0) { // Client name changed, display the change - NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, name); + NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, "%s", name); } else if (playas != ci->client_playas) { // The player changed from client-player.. // Do not display that for now @@ -666,7 +666,7 @@ DEF_CLIENT_RECEIVE_COMMAND(PACKET_SERVER_ERROR_QUIT) ci = NetworkFindClientInfoFromIndex(index); if (ci != NULL) { - NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, str); + NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, "%s", str); // The client is gone, give the NetworkClientInfo free ci->client_index = NETWORK_EMPTY_INDEX; @@ -684,11 +684,11 @@ DEF_CLIENT_RECEIVE_COMMAND(PACKET_SERVER_QUIT) NetworkClientInfo *ci; index = NetworkRecv_uint16(MY_CLIENT, p); - NetworkRecv_string(MY_CLIENT, p, str, 100); + NetworkRecv_string(MY_CLIENT, p, str, lengthof(str)); ci = NetworkFindClientInfoFromIndex(index); if (ci != NULL) { - NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, str); + NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, ci->client_name, "%s", str); // The client is gone, give the NetworkClientInfo free ci->client_index = NETWORK_EMPTY_INDEX; diff --git a/network_server.c b/network_server.c index 3af33e022..28d32475d 100644 --- a/network_server.c +++ b/network_server.c @@ -162,7 +162,7 @@ DEF_SERVER_SEND_COMMAND_PARAM(PACKET_SERVER_ERROR)(NetworkClientState *cs, Netwo DEBUG(net, 2)("[NET] %s made an error (%s) and his connection is closed", client_name, str); - NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str); + NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str); FOR_ALL_CLIENTS(new_cs) { if (new_cs->status > STATUS_AUTH && new_cs != cs) { @@ -904,7 +904,7 @@ DEF_SERVER_RECEIVE_COMMAND(PACKET_CLIENT_ERROR) DEBUG(net, 2)("[NET] %s reported an error and is closing his connection (%s)", client_name, str); - NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str); + NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str); FOR_ALL_CLIENTS(new_cs) { if (new_cs->status > STATUS_AUTH) { @@ -929,11 +929,11 @@ DEF_SERVER_RECEIVE_COMMAND(PACKET_CLIENT_QUIT) return; } - NetworkRecv_string(cs, p, str, 100); + NetworkRecv_string(cs, p, str, lengthof(str)); NetworkGetClientName(client_name, sizeof(client_name), cs); - NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, str); + NetworkTextMessage(NETWORK_ACTION_LEAVE, 1, false, client_name, "%s", str); FOR_ALL_CLIENTS(new_cs) { if (new_cs->status > STATUS_AUTH) { @@ -1108,7 +1108,7 @@ DEF_SERVER_RECEIVE_COMMAND(PACKET_CLIENT_SET_NAME) if (ci != NULL) { // Display change if (NetworkFindName(client_name)) { - NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, client_name); + NetworkTextMessage(NETWORK_ACTION_NAME_CHANGE, 1, false, ci->client_name, "%s", client_name); ttd_strlcpy(ci->client_name, client_name, sizeof(ci->client_name)); NetworkUpdateClientInfo(ci->client_index); } diff --git a/texteff.c b/texteff.c index 25a85e275..d53f22b7d 100644 --- a/texteff.c +++ b/texteff.c @@ -62,7 +62,7 @@ void CDECL AddTextMessage(uint16 color, uint8 duration, const char *message, ... int length; va_start(va, message); - vsprintf(buf, message, va); + vsnprintf(buf, lengthof(buf), message, va); va_end(va); /* Special color magic */ -- cgit v1.2.3-70-g09d2