Hi, @@ -308,7 +310,7 @@ if ( argc > 2 ) { - char buffer[1000]; + char buffer[MAX_STRING_CHARS]; int i; strcpy( buffer, Cmd_Argv(1) );
Do I miss something or is this still a buffer overflow? Cmd_Argv(1) will get the second element from cmd_argv[] which will be filled by CL_ConnectionlessPacket() in cl_main.c. As far as I can see this tokenizes a packet without checking how big the buffer is. It just allocates space for it in cmd.c. So buffer could be overflowed by a user package here I think. Kind regards Nico -- Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpC9jibloLvs.pgp
Description: PGP signature