Jonathan Neuschäfer
2009-Oct-02 11:33 UTC
[Secure-testing-team] Bug#549310: overkill: long player names can corrupt data on the server machine
Package: overkill Version: 0.16-14 Severity: grave Tags: patch security Justification: user security hole Players with names longer than 24 characters have been able to corrupt data on the machine where the server is run. This is made possible by not always checking wether the name of a connecting player is too long. I have made a patch to fix this. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, ''unstable'') Architecture: i386 (i686) Kernel: Linux 2.6.30-1-686 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages overkill depends on: ii libc6 2.9-27 GNU C Library: Shared libraries ii libx11-6 2:1.2.2-1 X11 client-side library ii libxpm4 1:3.5.7-2 X11 pixmap library overkill recommends no packages. overkill suggests no packages. -- no debconf information -------------- next part -------------- 534a535> int name_too_long;538a540> name_too_long=strlen(name)>MAX_NAME_LEN? 1:0;543c545,546 < cp->member.name=mem_alloc(strlen(name)+1); ---> cp->member.name=mem_alloc((name_too_long?MAX_NAME_LEN:strlen(name))+1); > if (name_too_long) *(cp->member.name+MAX_NAME_LEN)=''\0'';560c563 < memcpy(cp->member.name,name,strlen(name)+1); ---> memcpy(cp->member.name,name,(name_too_long?MAX_NAME_LEN:strlen(name)));