Hi,
@@ -308,7 +310,7 @@
if ( argc > 2 )
{
- char buffer[1000];
+ char buffer[MAX_STRING_CHARS];
int i;
strcpy( buffer, Cmd_Argv(1) );Do I miss something or is this still a buffer overflow? Cmd_Argv(1) will get the second element from cmd_argv[] which will be filled by CL_ConnectionlessPacket() in cl_main.c. As far as I can see this tokenizes a packet without checking how big the buffer is. It just allocates space for it in cmd.c. So buffer could be overflowed by a user package here I think. Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpC9jibloLvs.pgp
Description: PGP signature
