<URL: http://bugs.freeciv.org/Ticket/Display.html?id=39898 >
I'm getting intermittent server crashes while playing Freeciv 2.1.0 on a
Fedora 8 machine. The cause appears to be an off-by-one error in the
size of a buffer in the autosave code. Fedora 8 compiles all C code
with -D_FORTIFY_SOURCE=2, and it is the FORTIFY check that is shutting
the server down.
The part array, declared at line 3342 of server/savegame.c, has size
PART_SIZE + 1. The variable bytes_adjust, declared at line 3339, is set
to bytes_at_colon % 3; i.e., its value is 0, 1, or 2. The variable
size_of_current_part, declared at line 3363, is PART_SIZE +
bytes_adjust; i.e., it is at most PART_SIZE + 2. But then the memcpy on
line 3366 copies size_of_current_part bytes into part, possibly
overflowing it by one byte. The fix is to declare part as having size
PART_SIZE + 2.
I am attaching a patch.
diff -dur freeciv-2.1.0.ORIG/server/savegame.c freeciv-2.1.0/server/savegame.c
--- freeciv-2.1.0.ORIG/server/savegame.c 2007-10-27 05:06:44.000000000 -0600
+++ freeciv-2.1.0/server/savegame.c 2007-11-23 21:01:39.000000000 -0700
@@ -3339,7 +3339,7 @@
size_t bytes_adjust = bytes_at_colon % 3;
int current_part_nr;
int parts;
- char part[PART_SIZE + 1];
+ char part[PART_SIZE + 2];
secfile_insert_int(file, plr->attribute_block.length,
"player%d.attribute_v2_block_length", plrno);
_______________________________________________
Freeciv-dev mailing list
Freeciv-dev@gna.org
https://mail.gna.org/listinfo/freeciv-dev
