Complete.Org: Mailing Lists: Archives: freeciv-dev: September 2004:
[Freeciv-Dev] (PR#9948) potential buffer overread in dataio

[Freeciv-Dev] (PR#9948) potential buffer overread in dataio

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	undisclosed-recipients: ;
Subject:	[Freeciv-Dev] (PR#9948) potential buffer overread in dataio
From:	"Jason Short" <jdorje@xxxxxxxxxxxxxxxxxxxxx>
Date:	Sun, 5 Sep 2004 00:27:15 -0700
Reply-to:	rt@xxxxxxxxxxx

<URL: http://rt.freeciv.org/Ticket/Display.html?id=9948 >

In dio_get_string:

   for (offset = 0; c[offset] != '\0' && offset < remaining; offset++) {

the conditional is wrong.  If we ever do hit the limit then the read 
will be on invalid memory before the second check tells us that we've 
gone too far.  These conditions should be reversed.

jason

Index: common/dataio.c
===================================================================
RCS file: /home/freeciv/CVS/freeciv/common/dataio.c,v
retrieving revision 1.12
diff -u -r1.12 dataio.c
--- common/dataio.c     2 Sep 2004 22:01:51 -0000       1.12
+++ common/dataio.c     5 Sep 2004 07:26:50 -0000
@@ -543,7 +543,7 @@
   c = ADD_TO_POINTER(din->src, din->current);
 
   /* avoid using strlen (or strcpy) on an (unsigned char*)  --dwp */
-  for (offset = 0; c[offset] != '\0' && offset < remaining; offset++) {
+  for (offset = 0; offset < remaining && c[offset] != '\0'; offset++) {
     /* nothing */
   }

[Prev in Thread]

Current Thread

[Next in Thread]

[Freeciv-Dev] (PR#9948) potential buffer overread in dataio, Jason Short <=

Prev by Date: [Freeciv-Dev] Re: (PR#9947) insane inefficiency in packet sending
Next by Date: [Freeciv-Dev] (PR#9949) reject_new_connection is buggy
Previous by thread: [Freeciv-Dev] Re: (PR#9947) insane inefficiency in packet sending
Next by thread: [Freeciv-Dev] (PR#9949) reject_new_connection is buggy
Index(es):
- Date
- Thread