Module Name: src
Committed By: snj
Date: Mon Jun 29 23:46:51 UTC 2009
Modified Files:
src/games/hack [netbsd-4-0]: hack.do_name.c hack.h hack.invent.c
hack.main.c hack.rip.c hack.topl.c hack.unix.c
Log Message:
Pull up following revision(s) (requested by dholland in ticket #1331):
games/hack/hack.do_name.c: revision 1.10
games/hack/hack.h: revision 1.13 via patch
games/hack/hack.invent.c: revision 1.13
games/hack/hack.main.c: revision 1.13
games/hack/hack.rip.c: revision 1.11
games/hack/hack.topl.c: revision 1.11
games/hack/hack.unix.c: revision 1.13
Fix two serious string-handling bugs (one exploitable, one probably
exploitable) and also add proper checking/paranoia in several other
places.
To generate a diff of this commit:
cvs rdiff -u -r1.6.26.1 -r1.6.26.2 src/games/hack/hack.do_name.c
cvs rdiff -u -r1.10 -r1.10.26.1 src/games/hack/hack.h
cvs rdiff -u -r1.10.14.1 -r1.10.14.2 src/games/hack/hack.invent.c
cvs rdiff -u -r1.9.26.1 -r1.9.26.2 src/games/hack/hack.main.c \
src/games/hack/hack.unix.c
cvs rdiff -u -r1.7.26.1 -r1.7.26.2 src/games/hack/hack.rip.c \
src/games/hack/hack.topl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/games/hack/hack.do_name.c
diff -u src/games/hack/hack.do_name.c:1.6.26.1 src/games/hack/hack.do_name.c:1.6.26.2
--- src/games/hack/hack.do_name.c:1.6.26.1 Mon Jun 29 23:43:48 2009
+++ src/games/hack/hack.do_name.c Mon Jun 29 23:46:51 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.do_name.c,v 1.6.26.1 2009/06/29 23:43:48 snj Exp $ */
+/* $NetBSD: hack.do_name.c,v 1.6.26.2 2009/06/29 23:46:51 snj Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.do_name.c,v 1.6.26.1 2009/06/29 23:43:48 snj Exp $");
+__RCSID("$NetBSD: hack.do_name.c,v 1.6.26.2 2009/06/29 23:46:51 snj Exp $");
#endif /* not lint */
#include <stdlib.h>
@@ -284,7 +284,7 @@
gn = ghostnames[rn2(SIZE(ghostnames))];
if (!rn2(2))
(void)
- strcpy((char *) mtmp->mextra, !rn2(5) ? plname : gn);
+ strlcpy((char *) mtmp->mextra, !rn2(5) ? plname : gn, mtmp->mxlth);
}
(void) snprintf(buf, sizeof(buf), "%s's ghost", gn);
}
Index: src/games/hack/hack.h
diff -u src/games/hack/hack.h:1.10 src/games/hack/hack.h:1.10.26.1
--- src/games/hack/hack.h:1.10 Tue Jan 27 20:30:29 2004
+++ src/games/hack/hack.h Mon Jun 29 23:46:51 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.h,v 1.10 2004/01/27 20:30:29 jsm Exp $ */
+/* $NetBSD: hack.h,v 1.10.26.1 2009/06/29 23:46:51 snj Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -202,7 +202,7 @@
extern char SAVEF[];
extern char fut_geno[60]; /* idem */
extern char genocided[60]; /* defined in Decl.c */
-extern char lock[];
+extern char lock[PL_NSIZ + 4];
extern char mlarge[];
extern char morc;
extern char nul[];
Index: src/games/hack/hack.invent.c
diff -u src/games/hack/hack.invent.c:1.10.14.1 src/games/hack/hack.invent.c:1.10.14.2
--- src/games/hack/hack.invent.c:1.10.14.1 Mon Jun 29 23:43:48 2009
+++ src/games/hack/hack.invent.c Mon Jun 29 23:46:51 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.invent.c,v 1.10.14.1 2009/06/29 23:43:48 snj Exp $ */
+/* $NetBSD: hack.invent.c,v 1.10.14.2 2009/06/29 23:46:51 snj Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,9 +63,10 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.invent.c,v 1.10.14.1 2009/06/29 23:43:48 snj Exp $");
+__RCSID("$NetBSD: hack.invent.c,v 1.10.14.2 2009/06/29 23:46:51 snj Exp $");
#endif /* not lint */
+#include <assert.h>
#include <stdlib.h>
#include "hack.h"
#include "extern.h"
@@ -578,7 +579,7 @@
char buf[BUFSZ];
char *ip;
char sym;
- int oletct = 0, iletct = 0;
+ unsigned oletct = 0, iletct = 0;
boolean allflag = FALSE;
char olets[20], ilets[20];
int (*ckfn)(struct obj *) =
@@ -609,6 +610,7 @@
if (invent)
ilets[iletct++] = 'a';
ilets[iletct] = 0;
+ assert(iletct < sizeof(ilets));
}
pline("What kinds of thing do you want to %s? [%s] ",
word, ilets);
@@ -637,6 +639,7 @@
olets[oletct++] = sym;
olets[oletct] = 0;
}
+ assert(oletct < sizeof(olets));
} else
pline("You don't have any %c's.", sym);
}
@@ -754,7 +757,7 @@
{
struct obj *otmp;
char ilet;
- int ct = 0;
+ unsigned ct = 0;
char any[BUFSZ];
morc = 0; /* just to be sure */
@@ -777,6 +780,7 @@
ilet = 'A';
}
any[ct] = 0;
+ assert(ct < sizeof(any));
cornline(2, any);
}
@@ -786,7 +790,7 @@
/* Changed to one type only, so he doesnt have to type cr */
char c, ilet;
char stuff[BUFSZ];
- int stct;
+ unsigned stct;
struct obj *otmp;
boolean billx = inshop() && doinvbill(0);
boolean unpd = FALSE;
@@ -812,6 +816,7 @@
if (billx)
stuff[stct++] = 'x';
stuff[stct] = 0;
+ assert(stct < sizeof(stuff));
if (stct > 1) {
pline("What type of object [%s] do you want an inventory of? ",
@@ -848,6 +853,8 @@
ilet = 'A';
}
stuff[stct] = '\0';
+ assert(stct < sizeof(stuff));
+
if (stct == 0)
pline("You have no such objects.");
else
Index: src/games/hack/hack.main.c
diff -u src/games/hack/hack.main.c:1.9.26.1 src/games/hack/hack.main.c:1.9.26.2
--- src/games/hack/hack.main.c:1.9.26.1 Mon Jun 29 23:43:48 2009
+++ src/games/hack/hack.main.c Mon Jun 29 23:46:51 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.main.c,v 1.9.26.1 2009/06/29 23:43:48 snj Exp $ */
+/* $NetBSD: hack.main.c,v 1.9.26.2 2009/06/29 23:46:51 snj Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.main.c,v 1.9.26.1 2009/06/29 23:43:48 snj Exp $");
+__RCSID("$NetBSD: hack.main.c,v 1.9.26.2 2009/06/29 23:46:51 snj Exp $");
#endif /* not lint */
#include <signal.h>
@@ -302,7 +302,8 @@
}
*gp = 0;
} else
- (void) strcpy(genocided, sfoo);
+ (void) strlcpy(genocided, sfoo,
+ sizeof(genocided));
(void) strcpy(fut_geno, genocided);
}
}
@@ -481,12 +482,12 @@
int foo;
{
/* construct the string xlock.n */
- char *tf;
+ size_t pos;
- tf = lock;
- while (*tf && *tf != '.')
- tf++;
- (void) sprintf(tf, ".%d", foo);
+ pos = 0;
+ while (lock[pos] && lock[pos] != '.')
+ pos++;
+ (void) snprintf(lock + pos, sizeof(lock) - pos, ".%d", foo);
}
/*
Index: src/games/hack/hack.unix.c
diff -u src/games/hack/hack.unix.c:1.9.26.1 src/games/hack/hack.unix.c:1.9.26.2
--- src/games/hack/hack.unix.c:1.9.26.1 Mon Jun 29 23:43:48 2009
+++ src/games/hack/hack.unix.c Mon Jun 29 23:46:51 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.unix.c,v 1.9.26.1 2009/06/29 23:43:48 snj Exp $ */
+/* $NetBSD: hack.unix.c,v 1.9.26.2 2009/06/29 23:46:51 snj Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.unix.c,v 1.9.26.1 2009/06/29 23:43:48 snj Exp $");
+__RCSID("$NetBSD: hack.unix.c,v 1.9.26.2 2009/06/29 23:46:51 snj Exp $");
#endif /* not lint */
/* This file collects some Unix dependencies; hack.pager.c contains some more */
@@ -193,11 +193,11 @@
if ((np = strchr(path, ':')) == NULL)
np = path + strlen(path); /* point to end str */
if (np - path <= 1) /* %% */
- (void) strcpy(filename, name);
+ (void) strlcpy(filename, name, sizeof(filename));
else {
- (void) strncpy(filename, path, np - path);
- filename[np - path] = '/';
- (void) strcpy(filename + (np - path) + 1, name);
+ (void) snprintf(filename, sizeof(filename),
+ "%.*s/%s",
+ (int)(np - path), path, name);
}
if (stat(filename, &hbuf) == 0)
return;
Index: src/games/hack/hack.rip.c
diff -u src/games/hack/hack.rip.c:1.7.26.1 src/games/hack/hack.rip.c:1.7.26.2
--- src/games/hack/hack.rip.c:1.7.26.1 Mon Jun 29 23:43:48 2009
+++ src/games/hack/hack.rip.c Mon Jun 29 23:46:51 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.rip.c,v 1.7.26.1 2009/06/29 23:43:48 snj Exp $ */
+/* $NetBSD: hack.rip.c,v 1.7.26.2 2009/06/29 23:46:51 snj Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.rip.c,v 1.7.26.1 2009/06/29 23:43:48 snj Exp $");
+__RCSID("$NetBSD: hack.rip.c,v 1.7.26.2 2009/06/29 23:46:51 snj Exp $");
#endif /* not lint */
#include "hack.h"
@@ -101,7 +101,7 @@
!strcmp(killer, "starvation") ? "" :
strchr(vowels, *killer) ? " an" : " a");
center(8, buf);
- (void) strcpy(buf, killer);
+ (void) strlcpy(buf, killer, sizeof(buf));
{
int i1;
if ((i1 = strlen(buf)) > 16) {
Index: src/games/hack/hack.topl.c
diff -u src/games/hack/hack.topl.c:1.7.26.1 src/games/hack/hack.topl.c:1.7.26.2
--- src/games/hack/hack.topl.c:1.7.26.1 Mon Jun 29 23:43:48 2009
+++ src/games/hack/hack.topl.c Mon Jun 29 23:46:51 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: hack.topl.c,v 1.7.26.1 2009/06/29 23:43:48 snj Exp $ */
+/* $NetBSD: hack.topl.c,v 1.7.26.2 2009/06/29 23:46:51 snj Exp $ */
/*
* Copyright (c) 1985, Stichting Centrum voor Wiskunde en Informatica,
@@ -63,7 +63,7 @@
#include <sys/cdefs.h>
#ifndef lint
-__RCSID("$NetBSD: hack.topl.c,v 1.7.26.1 2009/06/29 23:43:48 snj Exp $");
+__RCSID("$NetBSD: hack.topl.c,v 1.7.26.2 2009/06/29 23:46:51 snj Exp $");
#endif /* not lint */
#include <stdlib.h>
@@ -216,7 +216,7 @@
{
char pbuf[BUFSZ];
char *bp = pbuf, *tl;
- int n, n0;
+ int n, n0, tlpos, dead;
if (!line || !*line)
return;
@@ -244,8 +244,9 @@
if (flags.toplin == 1)
more();
remember_topl();
+ dead = 0;
toplines[0] = 0;
- while (n0) {
+ while (n0 && !dead) {
if (n0 >= CO) {
/* look for appropriate cut point */
n0 = 0;
@@ -259,7 +260,14 @@
if (!n0)
n0 = CO - 2;
}
- (void) strncpy((tl = eos(toplines)), bp, n0);
+ tlpos = strlen(toplines);
+ tl = toplines + tlpos;
+ /* avoid overflow */
+ if (tlpos + n0 > (int)sizeof(toplines) - 1) {
+ n0 = sizeof(toplines) - 1 - tlpos;
+ dead = 1;
+ }
+ (void) memcpy(tl, bp, n0);
tl[n0] = 0;
bp += n0;
@@ -269,7 +277,7 @@
n0 = strlen(bp);
if (n0 && tl[0])
- (void) strcat(tl, "\n");
+ (void) strlcat(toplines, "\n", sizeof(toplines));
}
redotoplin();
}
