pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/games/crossfire-server Security fix for CAN-2006-1236



details:   https://anonhg.NetBSD.org/pkgsrc/rev/0be68ec363f9
branches:  trunk
changeset: 514345:0be68ec363f9
user:      adrianp <adrianp%pkgsrc.org@localhost>
date:      Sun Jun 11 11:36:47 2006 +0000

description:
Security fix for CAN-2006-1236
PKGREVISON bumped

diffstat:

 games/crossfire-server/Makefile         |    3 +-
 games/crossfire-server/distinfo         |    3 +-
 games/crossfire-server/patches/patch-ab |  217 ++++++++++++++++++++++++++++++++
 3 files changed, 221 insertions(+), 2 deletions(-)

diffs (247 lines):

diff -r 8f5738267002 -r 0be68ec363f9 games/crossfire-server/Makefile
--- a/games/crossfire-server/Makefile   Sun Jun 11 09:42:40 2006 +0000
+++ b/games/crossfire-server/Makefile   Sun Jun 11 11:36:47 2006 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.1.1.1 2006/05/11 05:59:36 adam Exp $
+# $NetBSD: Makefile,v 1.2 2006/06/11 11:36:47 adrianp Exp $
 
 DISTNAME=      crossfire-1.9.0
 PKGNAME=       crossfire-server-1.9.0
+PKGREVISION=   1
 CATEGORIES=    games x11
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=crossfire/}
 
diff -r 8f5738267002 -r 0be68ec363f9 games/crossfire-server/distinfo
--- a/games/crossfire-server/distinfo   Sun Jun 11 09:42:40 2006 +0000
+++ b/games/crossfire-server/distinfo   Sun Jun 11 11:36:47 2006 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.1.1.1 2006/05/11 05:59:36 adam Exp $
+$NetBSD: distinfo,v 1.2 2006/06/11 11:36:47 adrianp Exp $
 
 SHA1 (crossfire-1.9.0.tar.gz) = 7f8ef84f4d465736fc854b4be4e32f39ed415eaf
 RMD160 (crossfire-1.9.0.tar.gz) = 6069e1d566a738c73756096240694d8f62ab8ce4
 Size (crossfire-1.9.0.tar.gz) = 5317109 bytes
 SHA1 (patch-aa) = 7102244e70498f89dc2f0a600415f06dcb93853f
+SHA1 (patch-ab) = b50c940ab25f3b2361afa6ae49be6edab498f43e
 SHA1 (patch-ae) = 4f9aee487d8cff1bb6295f3661d0194d045b328c
diff -r 8f5738267002 -r 0be68ec363f9 games/crossfire-server/patches/patch-ab
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/games/crossfire-server/patches/patch-ab   Sun Jun 11 11:36:47 2006 +0000
@@ -0,0 +1,217 @@
+$NetBSD: patch-ab,v 1.1 2006/06/11 11:36:47 adrianp Exp $
+
+--- socket/request.c.orig      2006-02-25 08:02:11.000000000 +0000
++++ socket/request.c
+@@ -109,7 +109,7 @@ short atnr_cs_stat[NROFATTACKS] = {CS_ST
+ /** This is the Setup cmd - easy first implementation */
+ void SetUp(char *buf, int len, NewSocket *ns)
+ {
+-    int s;
++    int s, slen;
+     char *cmd, *param, cmdback[HUGE_BUF];
+ 
+     /* run through the cmds of setup
+@@ -139,40 +139,40 @@ void SetUp(char *buf, int len, NewSocket
+       buf[s++]=0;
+       while (buf[s] == ' ') s++;
+               
+-      strcat(cmdback, " ");
+-      strcat(cmdback, cmd);
+-      strcat(cmdback, " ");
+-
++      slen = strlen(cmdback);
++      safe_strcat(cmdback, " ", &slen, HUGE_BUF);
++      safe_strcat(cmdback, cmd, &slen, HUGE_BUF);
++      safe_strcat(cmdback, " ", &slen, HUGE_BUF);
+       
+       if (!strcmp(cmd,"sound")) {
+           ns->sound = atoi(param);
+-          strcat(cmdback, param);
++          safe_strcat(cmdback, param, &slen, HUGE_BUF);
+       }
+       else if (!strcmp(cmd,"exp64")) {
+           ns->exp64 = atoi(param);
+-          strcat(cmdback, param);
++          safe_strcat(cmdback, param, &slen, HUGE_BUF);
+       } else if (!strcmp(cmd, "spellmon")) {
+           ns->monitor_spells = atoi(param);
+-          strcat(cmdback, param);
++          safe_strcat(cmdback, param, &slen, HUGE_BUF);
+       }  else if (!strcmp(cmd,"darkness")) {
+           ns->darkness = atoi(param);
+-          strcat(cmdback, param);
++          safe_strcat(cmdback, param, &slen, HUGE_BUF);
+       } else if (!strcmp(cmd,"map1cmd")) {
+           if (atoi(param)) ns->mapmode = Map1Cmd;
+           /* if beyond this size, need to use map1cmd no matter what */
+           if (ns->mapx>11 || ns->mapy>11) ns->mapmode = Map1Cmd;
+-          strcat(cmdback, ns->mapmode == Map1Cmd?"1":"0");
++          safe_strcat(cmdback, ns->mapmode == Map1Cmd?"1":"0", &slen, HUGE_BUF);
+       } else if (!strcmp(cmd,"map1acmd")) {
+           if (atoi(param)) ns->mapmode = Map1aCmd;
+           /* if beyond this size, need to use map1acmd no matter what */
+           if (ns->mapx>11 || ns->mapy>11) ns->mapmode = Map1aCmd;
+-          strcat(cmdback, ns->mapmode == Map1aCmd?"1":"0");
++          safe_strcat(cmdback, ns->mapmode == Map1aCmd?"1":"0", &slen, HUGE_BUF);
+         } else if (!strcmp(cmd,"newmapcmd")) {
+             ns->newmapcmd= atoi(param);
+-            strcat(cmdback, param);
++          safe_strcat(cmdback, param, &slen, HUGE_BUF);
+       } else if (!strcmp(cmd,"facecache")) {
+           ns->facecache = atoi(param);
+-            strcat(cmdback, param);
++          safe_strcat(cmdback, param, &slen, HUGE_BUF);
+       } else if (!strcmp(cmd,"faceset")) {
+           char tmpbuf[20];
+           int q = atoi(param);
+@@ -180,7 +180,7 @@ void SetUp(char *buf, int len, NewSocket
+           if (is_valid_faceset(q))
+               ns->faceset=q;
+           sprintf(tmpbuf,"%d", ns->faceset);
+-          strcat(cmdback, tmpbuf);
++          safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+           /* if the client is using faceset, it knows about image2 command */
+           ns->image2=1;
+       } else if (!strcmp(cmd,"itemcmd")) {
+@@ -196,7 +196,7 @@ void SetUp(char *buf, int len, NewSocket
+               ns->itemcmd = q;
+               sprintf(tmpbuf,"%d", ns->itemcmd);
+           }
+-          strcat(cmdback, tmpbuf);
++          safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+         } else if (!strcmp(cmd,"mapsize")) {
+           int x, y=0;
+           char tmpbuf[MAX_BUF], *cp;
+@@ -209,7 +209,7 @@ void SetUp(char *buf, int len, NewSocket
+               }
+           if (x < 9 || y < 9 || x>MAP_CLIENT_X || y > MAP_CLIENT_Y) {
+               sprintf(tmpbuf," %dx%d", MAP_CLIENT_X, MAP_CLIENT_Y);
+-              strcat(cmdback, tmpbuf);
++              safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+           } else {
+               ns->mapx = x;
+               ns->mapy = y;
+@@ -217,34 +217,35 @@ void SetUp(char *buf, int len, NewSocket
+                * param as given to us in case it gets parsed differently.
+                */
+               sprintf(tmpbuf,"%dx%d", x,y);
+-              strcat(cmdback, tmpbuf);
++              safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+               /* If beyond this size and still using orig map command, need to
+                * go to map1cmd.
+                */
+               if ((x>11 || y>11) && ns->mapmode == Map0Cmd) ns->mapmode = Map1Cmd;
+           }
+       } else if (!strcmp(cmd,"extendedMapInfos")) {
+-        /* Added by tchize
+-         * prepare to use the mapextended command
+-         */
++          /* Added by tchize
++           * prepare to use the mapextended command
++           */
+           char tmpbuf[20];
+-        ns->ext_mapinfos = (atoi(param));
++          ns->ext_mapinfos = (atoi(param));
+           sprintf(tmpbuf,"%d", ns->ext_mapinfos);
+-          strcat(cmdback, tmpbuf);
++          safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+       } else if (!strcmp(cmd,"extendedTextInfos")) {
+-        /* Added by tchize
+-         * prepare to use the extended text commands
+-         * Client toggle this to non zero to get exttext
+-         */
++          /* Added by tchize
++           * prepare to use the extended text commands
++           * Client toggle this to non zero to get exttext
++           */
+           char tmpbuf[20];
+-        ns->has_readable_type = (atoi(param));
++
++          ns->has_readable_type = (atoi(param));
+           sprintf(tmpbuf,"%d", ns->has_readable_type);
+-          strcat(cmdback, tmpbuf);
++          safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+       } else {
+           /* Didn't get a setup command we understood -
+            * report a failure to the client.
+            */
+-          strcat(cmdback, "FALSE");
++          safe_strcat(cmdback, "FALSE", &slen, HUGE_BUF);
+       }
+     } /* for processing all the setup commands */
+     LOG(llevInfo,"SendBack SetupCmd:: %s\n", cmdback);
+@@ -619,7 +620,7 @@ void VersionCmd(char *buf, int len,NewSo
+     }
+     cp = strchr(cp+1, ' ');
+     if (cp) {
+-      LOG(llevDebug,"CS: connection from client of type <%s>\n", cp);
++      LOG(llevDebug,"CS: connection from client of type <%s>, ip %s\n", cp, ns->host);
+ 
+       /* This is first implementation - i skip all beta DX clients with it 
+        * Add later stuff here for other clients 
+@@ -1925,12 +1926,12 @@ void send_skill_info(NewSocket *ns, char
+     int i;
+ 
+     sl.buf = malloc(MAXSOCKBUF);
+-    strcpy(sl.buf,"replyinfo skill_info\n");
++    strcpy((char*)sl.buf,"replyinfo skill_info\n");
+     for (i=1; i< NUM_SKILLS; i++) {
+-      sprintf(sl.buf + strlen(sl.buf), "%d:%s\n", i + CS_STAT_SKILLINFO,
++      sprintf((char*)sl.buf + strlen((char*)sl.buf), "%d:%s\n", i + CS_STAT_SKILLINFO,
+               skill_names[i]);
+     }
+-    sl.len = strlen(sl.buf);
++    sl.len = strlen((char*)sl.buf);
+     if (sl.len > MAXSOCKBUF) {
+       LOG(llevError,"Buffer overflow in send_skill_info!\n");
+       fatal(0);
+@@ -1948,10 +1949,10 @@ void send_spell_paths (NewSocket *ns, ch
+     int i;
+ 
+     sl.buf = malloc(MAXSOCKBUF);
+-    strcpy(sl.buf,"replyinfo spell_paths\n");
++    strcpy((char*)sl.buf,"replyinfo spell_paths\n");
+     for(i=0; i<NRSPELLPATHS; i++)
+-      sprintf(sl.buf + strlen(sl.buf), "%d:%s\n", 1<<i, spellpathnames[i]);
+-    sl.len = strlen(sl.buf);
++      sprintf((char*)sl.buf + strlen((char*)sl.buf), "%d:%s\n", 1<<i, spellpathnames[i]);
++    sl.len = strlen((char*)sl.buf);
+     if (sl.len > MAXSOCKBUF) {
+       LOG(llevError,"Buffer overflow in send_spell_paths!\n");
+       fatal(0);
+@@ -1986,7 +1987,7 @@ void esrv_update_spells(player *pl) {
+           }
+           if (flags !=0) {
+               sl.buf = malloc(MAXSOCKBUF);
+-              strcpy(sl.buf,"updspell ");
++              strcpy((char*)sl.buf,"updspell ");
+               sl.len=strlen((char*)sl.buf);
+               SockList_AddChar(&sl, flags);
+               SockList_AddInt(&sl, spell->count);
+@@ -2010,7 +2011,7 @@ void esrv_remove_spell(player *pl, objec
+       return;
+     }
+     sl.buf = malloc(MAXSOCKBUF);
+-    strcpy(sl.buf,"delspell ");
++    strcpy((char*)sl.buf,"delspell ");
+     sl.len=strlen((char*)sl.buf);
+     SockList_AddInt(&sl, spell->count);
+     Send_With_Handling(&pl->socket, &sl);
+@@ -2078,7 +2079,7 @@ void esrv_add_spells(player *pl, object 
+     }
+     if (!pl->socket.monitor_spells) return;
+     sl.buf = malloc(MAXSOCKBUF);
+-    strcpy(sl.buf,"addspell ");
++    strcpy((char*)sl.buf,"addspell ");
+     sl.len=strlen((char*)sl.buf);
+     if (!spell) {
+       for (spell=pl->ob->inv; spell!=NULL; spell=spell->below) {
+@@ -2099,7 +2100,7 @@ void esrv_add_spells(player *pl, object 
+           if (sl.len > (MAXSOCKBUF - (26 + strlen(spell->name) + 
+                               (spell->msg?strlen(spell->msg):0)))) {
+               Send_With_Handling(&pl->socket, &sl);
+-              strcpy(sl.buf,"addspell ");
++              strcpy((char*)sl.buf,"addspell ");
+               sl.len=strlen((char*)sl.buf);
+           }
+           append_spell(pl, &sl, spell);



Home | Main Index | Thread Index | Old Index