[Freeciv-Dev] Re: (PR#12731) stdinhand.c overwrites own memory

["Jason Short" <jdorje@xxxxxxxxxxxxxxxxxxxxx>]

<URL: http://bugs.freeciv.org/Ticket/Display.html?id=12731 >

Per I. Mathisen wrote:
> <URL: http://bugs.freeciv.org/Ticket/Display.html?id=12731 >
> 
> ==18671== Source and destination overlap in memcpy(0x81BFA58, 0x81BFA58, 33)
> ==18671==    at 0x1B9047C9: memcpy (mac_replace_strmem.c:113)
> ==18671==    by 0x804D49D: mystrlcpy (support.c:240)
> ==18671==    by 0x805637C: load_command (stdinhand.c:3207)
> ==18671==    by 0x8051063: srv_main (srv_main.c:1655)
> ==18671==    by 0x804A42A: main (civserver.c:242)
> 
> srv_main.c: (void) load_command(NULL, srvarg.load_filename, FALSE);
> stdinhand.c: bool load_command(struct connection *caller, char *arg,
>                                bool check)
> stdinhand.c: sz_strlcpy(srvarg.load_filename, arg);
> 
> Yeah, pretty stupid, that one.

load_command() should make a local copy before using arg.

-jason

Index: server/stdinhand.c
===================================================================
RCS file: /home/freeciv/CVS/freeciv/server/stdinhand.c,v
retrieving revision 1.392
diff -u -r1.392 stdinhand.c
--- server/stdinhand.c  31 Mar 2005 17:48:34 -0000      1.392
+++ server/stdinhand.c  6 Apr 2005 20:53:53 -0000
@@ -3166,10 +3166,15 @@
 /**************************************************************************
   ...
 **************************************************************************/
-bool load_command(struct connection *caller, char *arg, bool check)
+bool load_command(struct connection *caller, char *filename, bool check)
 {
   struct timer *loadtimer, *uloadtimer;  
   struct section_file file;
+  char arg[strlen(filename) + 1];
+
+  /* We make a local copy because the parameter might be a pointer to 
+   * srvarg.load_filename, which we edit down below. */
+  sz_strlcpy(arg, filename);
 
   if (!arg || arg[0] == '\0') {
     cmd_reply(CMD_LOAD, caller, C_FAIL, _("Usage: load <filename>"));