nethack -s buffer overflow fix

When printing invalid player names in -s mode, it was possible to overflow
the output buffer due to a missing buffer size check.  On shared Unix-like
systems with executable stacks, this could be used as a security exploit,
eg to obtain a shell running as user or group games.
While I was at it, removed a dead block of "#if 0" code
This commit is contained in:
cohrs
2003-02-10 19:01:58 +00:00
parent 6c1d28753c
commit 8930e5b442
2 changed files with 7 additions and 8 deletions

View File

@@ -788,14 +788,6 @@ char **argv;
if (!argv[1][2]){ /* plain "-s" */
argc--;
argv++;
#if 0 /* uses obsolete pl_classes[] */
} else if (!argv[1][3] && index(pl_classes, argv[1][2])) {
/* may get this case instead of next accidentally,
* but neither is listed in the documentation, so
* anything useful that happens is a bonus anyway */
argv[1]++;
argv[1][0] = '-';
#endif
} else argv[1] += 2;
if (argc > 1 && !strcmp(argv[1], "-v")) {
@@ -857,6 +849,12 @@ char **argv;
else {
if (playerct > 1) Strcat(pbuf, "any of ");
for (i = 0; i < playerct; i++) {
/* stop printing players if there are too many to fit */
if (strlen(pbuf) + strlen(players[i]) + 2 >= BUFSZ) {
if (strlen(pbuf) < BUFSZ-4) Strcat(pbuf, "...");
else Strcpy(pbuf+strlen(pbuf)-4, "...");
break;
}
Strcat(pbuf, players[i]);
if (i < playerct-1) {
if (players[i][0] == '-' &&