pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/games/crossfire-server Security fix for CAN-2006-1236
details: https://anonhg.NetBSD.org/pkgsrc/rev/0be68ec363f9
branches: trunk
changeset: 514345:0be68ec363f9
user: adrianp <adrianp%pkgsrc.org@localhost>
date: Sun Jun 11 11:36:47 2006 +0000
description:
Security fix for CAN-2006-1236
PKGREVISON bumped
diffstat:
games/crossfire-server/Makefile | 3 +-
games/crossfire-server/distinfo | 3 +-
games/crossfire-server/patches/patch-ab | 217 ++++++++++++++++++++++++++++++++
3 files changed, 221 insertions(+), 2 deletions(-)
diffs (247 lines):
diff -r 8f5738267002 -r 0be68ec363f9 games/crossfire-server/Makefile
--- a/games/crossfire-server/Makefile Sun Jun 11 09:42:40 2006 +0000
+++ b/games/crossfire-server/Makefile Sun Jun 11 11:36:47 2006 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.1.1.1 2006/05/11 05:59:36 adam Exp $
+# $NetBSD: Makefile,v 1.2 2006/06/11 11:36:47 adrianp Exp $
DISTNAME= crossfire-1.9.0
PKGNAME= crossfire-server-1.9.0
+PKGREVISION= 1
CATEGORIES= games x11
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=crossfire/}
diff -r 8f5738267002 -r 0be68ec363f9 games/crossfire-server/distinfo
--- a/games/crossfire-server/distinfo Sun Jun 11 09:42:40 2006 +0000
+++ b/games/crossfire-server/distinfo Sun Jun 11 11:36:47 2006 +0000
@@ -1,7 +1,8 @@
-$NetBSD: distinfo,v 1.1.1.1 2006/05/11 05:59:36 adam Exp $
+$NetBSD: distinfo,v 1.2 2006/06/11 11:36:47 adrianp Exp $
SHA1 (crossfire-1.9.0.tar.gz) = 7f8ef84f4d465736fc854b4be4e32f39ed415eaf
RMD160 (crossfire-1.9.0.tar.gz) = 6069e1d566a738c73756096240694d8f62ab8ce4
Size (crossfire-1.9.0.tar.gz) = 5317109 bytes
SHA1 (patch-aa) = 7102244e70498f89dc2f0a600415f06dcb93853f
+SHA1 (patch-ab) = b50c940ab25f3b2361afa6ae49be6edab498f43e
SHA1 (patch-ae) = 4f9aee487d8cff1bb6295f3661d0194d045b328c
diff -r 8f5738267002 -r 0be68ec363f9 games/crossfire-server/patches/patch-ab
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/games/crossfire-server/patches/patch-ab Sun Jun 11 11:36:47 2006 +0000
@@ -0,0 +1,217 @@
+$NetBSD: patch-ab,v 1.1 2006/06/11 11:36:47 adrianp Exp $
+
+--- socket/request.c.orig 2006-02-25 08:02:11.000000000 +0000
++++ socket/request.c
+@@ -109,7 +109,7 @@ short atnr_cs_stat[NROFATTACKS] = {CS_ST
+ /** This is the Setup cmd - easy first implementation */
+ void SetUp(char *buf, int len, NewSocket *ns)
+ {
+- int s;
++ int s, slen;
+ char *cmd, *param, cmdback[HUGE_BUF];
+
+ /* run through the cmds of setup
+@@ -139,40 +139,40 @@ void SetUp(char *buf, int len, NewSocket
+ buf[s++]=0;
+ while (buf[s] == ' ') s++;
+
+- strcat(cmdback, " ");
+- strcat(cmdback, cmd);
+- strcat(cmdback, " ");
+-
++ slen = strlen(cmdback);
++ safe_strcat(cmdback, " ", &slen, HUGE_BUF);
++ safe_strcat(cmdback, cmd, &slen, HUGE_BUF);
++ safe_strcat(cmdback, " ", &slen, HUGE_BUF);
+
+ if (!strcmp(cmd,"sound")) {
+ ns->sound = atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ }
+ else if (!strcmp(cmd,"exp64")) {
+ ns->exp64 = atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd, "spellmon")) {
+ ns->monitor_spells = atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"darkness")) {
+ ns->darkness = atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"map1cmd")) {
+ if (atoi(param)) ns->mapmode = Map1Cmd;
+ /* if beyond this size, need to use map1cmd no matter what */
+ if (ns->mapx>11 || ns->mapy>11) ns->mapmode = Map1Cmd;
+- strcat(cmdback, ns->mapmode == Map1Cmd?"1":"0");
++ safe_strcat(cmdback, ns->mapmode == Map1Cmd?"1":"0", &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"map1acmd")) {
+ if (atoi(param)) ns->mapmode = Map1aCmd;
+ /* if beyond this size, need to use map1acmd no matter what */
+ if (ns->mapx>11 || ns->mapy>11) ns->mapmode = Map1aCmd;
+- strcat(cmdback, ns->mapmode == Map1aCmd?"1":"0");
++ safe_strcat(cmdback, ns->mapmode == Map1aCmd?"1":"0", &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"newmapcmd")) {
+ ns->newmapcmd= atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"facecache")) {
+ ns->facecache = atoi(param);
+- strcat(cmdback, param);
++ safe_strcat(cmdback, param, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"faceset")) {
+ char tmpbuf[20];
+ int q = atoi(param);
+@@ -180,7 +180,7 @@ void SetUp(char *buf, int len, NewSocket
+ if (is_valid_faceset(q))
+ ns->faceset=q;
+ sprintf(tmpbuf,"%d", ns->faceset);
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ /* if the client is using faceset, it knows about image2 command */
+ ns->image2=1;
+ } else if (!strcmp(cmd,"itemcmd")) {
+@@ -196,7 +196,7 @@ void SetUp(char *buf, int len, NewSocket
+ ns->itemcmd = q;
+ sprintf(tmpbuf,"%d", ns->itemcmd);
+ }
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"mapsize")) {
+ int x, y=0;
+ char tmpbuf[MAX_BUF], *cp;
+@@ -209,7 +209,7 @@ void SetUp(char *buf, int len, NewSocket
+ }
+ if (x < 9 || y < 9 || x>MAP_CLIENT_X || y > MAP_CLIENT_Y) {
+ sprintf(tmpbuf," %dx%d", MAP_CLIENT_X, MAP_CLIENT_Y);
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ } else {
+ ns->mapx = x;
+ ns->mapy = y;
+@@ -217,34 +217,35 @@ void SetUp(char *buf, int len, NewSocket
+ * param as given to us in case it gets parsed differently.
+ */
+ sprintf(tmpbuf,"%dx%d", x,y);
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ /* If beyond this size and still using orig map command, need to
+ * go to map1cmd.
+ */
+ if ((x>11 || y>11) && ns->mapmode == Map0Cmd) ns->mapmode = Map1Cmd;
+ }
+ } else if (!strcmp(cmd,"extendedMapInfos")) {
+- /* Added by tchize
+- * prepare to use the mapextended command
+- */
++ /* Added by tchize
++ * prepare to use the mapextended command
++ */
+ char tmpbuf[20];
+- ns->ext_mapinfos = (atoi(param));
++ ns->ext_mapinfos = (atoi(param));
+ sprintf(tmpbuf,"%d", ns->ext_mapinfos);
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ } else if (!strcmp(cmd,"extendedTextInfos")) {
+- /* Added by tchize
+- * prepare to use the extended text commands
+- * Client toggle this to non zero to get exttext
+- */
++ /* Added by tchize
++ * prepare to use the extended text commands
++ * Client toggle this to non zero to get exttext
++ */
+ char tmpbuf[20];
+- ns->has_readable_type = (atoi(param));
++
++ ns->has_readable_type = (atoi(param));
+ sprintf(tmpbuf,"%d", ns->has_readable_type);
+- strcat(cmdback, tmpbuf);
++ safe_strcat(cmdback, tmpbuf, &slen, HUGE_BUF);
+ } else {
+ /* Didn't get a setup command we understood -
+ * report a failure to the client.
+ */
+- strcat(cmdback, "FALSE");
++ safe_strcat(cmdback, "FALSE", &slen, HUGE_BUF);
+ }
+ } /* for processing all the setup commands */
+ LOG(llevInfo,"SendBack SetupCmd:: %s\n", cmdback);
+@@ -619,7 +620,7 @@ void VersionCmd(char *buf, int len,NewSo
+ }
+ cp = strchr(cp+1, ' ');
+ if (cp) {
+- LOG(llevDebug,"CS: connection from client of type <%s>\n", cp);
++ LOG(llevDebug,"CS: connection from client of type <%s>, ip %s\n", cp, ns->host);
+
+ /* This is first implementation - i skip all beta DX clients with it
+ * Add later stuff here for other clients
+@@ -1925,12 +1926,12 @@ void send_skill_info(NewSocket *ns, char
+ int i;
+
+ sl.buf = malloc(MAXSOCKBUF);
+- strcpy(sl.buf,"replyinfo skill_info\n");
++ strcpy((char*)sl.buf,"replyinfo skill_info\n");
+ for (i=1; i< NUM_SKILLS; i++) {
+- sprintf(sl.buf + strlen(sl.buf), "%d:%s\n", i + CS_STAT_SKILLINFO,
++ sprintf((char*)sl.buf + strlen((char*)sl.buf), "%d:%s\n", i + CS_STAT_SKILLINFO,
+ skill_names[i]);
+ }
+- sl.len = strlen(sl.buf);
++ sl.len = strlen((char*)sl.buf);
+ if (sl.len > MAXSOCKBUF) {
+ LOG(llevError,"Buffer overflow in send_skill_info!\n");
+ fatal(0);
+@@ -1948,10 +1949,10 @@ void send_spell_paths (NewSocket *ns, ch
+ int i;
+
+ sl.buf = malloc(MAXSOCKBUF);
+- strcpy(sl.buf,"replyinfo spell_paths\n");
++ strcpy((char*)sl.buf,"replyinfo spell_paths\n");
+ for(i=0; i<NRSPELLPATHS; i++)
+- sprintf(sl.buf + strlen(sl.buf), "%d:%s\n", 1<<i, spellpathnames[i]);
+- sl.len = strlen(sl.buf);
++ sprintf((char*)sl.buf + strlen((char*)sl.buf), "%d:%s\n", 1<<i, spellpathnames[i]);
++ sl.len = strlen((char*)sl.buf);
+ if (sl.len > MAXSOCKBUF) {
+ LOG(llevError,"Buffer overflow in send_spell_paths!\n");
+ fatal(0);
+@@ -1986,7 +1987,7 @@ void esrv_update_spells(player *pl) {
+ }
+ if (flags !=0) {
+ sl.buf = malloc(MAXSOCKBUF);
+- strcpy(sl.buf,"updspell ");
++ strcpy((char*)sl.buf,"updspell ");
+ sl.len=strlen((char*)sl.buf);
+ SockList_AddChar(&sl, flags);
+ SockList_AddInt(&sl, spell->count);
+@@ -2010,7 +2011,7 @@ void esrv_remove_spell(player *pl, objec
+ return;
+ }
+ sl.buf = malloc(MAXSOCKBUF);
+- strcpy(sl.buf,"delspell ");
++ strcpy((char*)sl.buf,"delspell ");
+ sl.len=strlen((char*)sl.buf);
+ SockList_AddInt(&sl, spell->count);
+ Send_With_Handling(&pl->socket, &sl);
+@@ -2078,7 +2079,7 @@ void esrv_add_spells(player *pl, object
+ }
+ if (!pl->socket.monitor_spells) return;
+ sl.buf = malloc(MAXSOCKBUF);
+- strcpy(sl.buf,"addspell ");
++ strcpy((char*)sl.buf,"addspell ");
+ sl.len=strlen((char*)sl.buf);
+ if (!spell) {
+ for (spell=pl->ob->inv; spell!=NULL; spell=spell->below) {
+@@ -2099,7 +2100,7 @@ void esrv_add_spells(player *pl, object
+ if (sl.len > (MAXSOCKBUF - (26 + strlen(spell->name) +
+ (spell->msg?strlen(spell->msg):0)))) {
+ Send_With_Handling(&pl->socket, &sl);
+- strcpy(sl.buf,"addspell ");
++ strcpy((char*)sl.buf,"addspell ");
+ sl.len=strlen((char*)sl.buf);
+ }
+ append_spell(pl, &sl, spell);
Home |
Main Index |
Thread Index |
Old Index