1 (edited by nozx 2008-02-15 13:55:49)

Topic: vulns

file: teewars-0.3.3-src/src/game/server/gs_server.cpp

on line 1953:
if(msg == MSG_CHANGEINFO && strcmp(name, server_clientname(client_id)) != 0)
{
    char msg[256];
    sprintf(msg, "*** %s changed name to %s", server_clientname(client_id), name);
    send_chat(-1, -1, msg);
}

using specially crafted netpacket user can cause server DoS. must use snprintf insted of sprintf.

on line 1982:
else if (msg == MSG_EMOTICON)
{
    int emoteicon = msg_unpack_int();
    send_emoticon(client_id, emoteicon % 16);
}

int emoteicon not checked for less 0. not critical bug. but...

NOTE: version 0.3.4 valunerable too

2 (edited by void 2008-02-15 14:56:38)

Re: vulns

I know that matricks is doing a full run to find these things now smile My guess is that he has found those and a lot of other ones allready. But thanks!

Languages shapes the way we think, or don't.

3

Re: vulns

Doing a complete overhaul to remove any possible vulnerabilities for 0.4.0. All string functions has been replaced. Doing some very harsh testing to keep the server from crashing etc on strange input from the clients.