Open illwieckz opened 9 years ago
Yeah, the code has sprintf(), strcpy(), and strcat() in it.. those can probably be converted over to snprintf(), strlcopy(), and strlcat() at some point.
I'll look into it and put a PR in. :+1: (As I get warnings when I compile about those functions on OpenBSD)
there are some older methods which could indeed lead to issues, PRs welcome
@stevenh @illwieckz - I've made a start converting sprintf to snprintf and the other functions as well. I've not quite gotten all of them converted over yet, however I ran a while loop through that list from qtracker.com and I didn't get any crashes this time. Once I've updated the functions, I'll send a PR.
nice!!
@illwieckz @stevenh According to the struct for q_rule, the 'data' element is: unsigned char data[19]; So that's only 19 characters allocated for rules, so any rules over that length will overflow. If that strcpy gets converted to a strlcpy, then you will only see the first 19 chars of the rules is my guess. If you wanted more, than q_packet struct would need changing I think. (With a longer data[] length)
No sure what you mean by q_rule as thats only used in one place, if you mean rules in general then they are dealt with differently.
Hi @illwieckz - Are you able to reproduce this at all with the latest version? I attempted to do so myself and used the following one-liner:
for srv in $(qstat -qwm master.quakeservers.net:27000 | awk '{ print $2}'); do qstat -qws ${srv}; done
(You can use any of the master quakeworld servers here: https://www.quakeservers.net/quakeworld/master_servers/
I wasn't able to reproduce this at all.
Hi, I'm experiencing a buffer overflow when I try to query some Quake1 servers while asking for server rules.
Basic query (works):
Server rules query (do not work):
It fails while trying an
strcpy
insend_rule_request_packet
function inqstat.c
.You can experiment with server
109.228.169.24:26003
but probably anyone from this list:This was tested on the last revision of the master branch.