I've attached an untested patch that adds bounds checking in the place
Clint Adams pointed out.
Please verify for correctness and test carefully.
--
Regards,
Andreas Henriksson
diff -uriNp conquest-8.2/meta.c conquest-8.2-buffull/meta.c
--- conquest-8.2/meta.c 2006-08-13 23:58:49.000000000 +0200
+++ conquest-8.2-buffull/meta.c 2007-03-05 10:44:46.000000000 +0100
@@ -405,6 +405,17 @@ int metaGetServerList(char *remotehost,
off = 0;
while (read(s, &c, 1) > 0)
{
+ if (off > sizeof(buf)-1)
+ { /* buffer is full, treat as invalid record and goto next */
+ clog("metaGetServerList: invalid record (buffer full), skipping");
+ memset(buf, '\0', sizeof(buf));
+ off = 0;
+ do {
+ if (c == '\n')
+ break;
+ } while (read(s, &c, 1) > 0);
+ continue;
+ }
if (c != '\n')
{
buf[off++] = c;
