[CODE] Buffer overflow / pfile corruption bug

From: Andrey Fidrya (andrey@alex-ua.com)
Date: 06/24/99

Next message: Nocturnal Occulto: "Re: Overflow in editor in Circlemud patch 15/And oneinOasis olc2.0"
Previous message: Tony Robbins: "Re: Circle History Lesson"
Next in thread: George Greer: "Re: [CODE] Buffer overflow / pfile corruption bug"
Maybe reply: George Greer: "Re: [CODE] Buffer overflow / pfile corruption bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here is another buffer overflow-pfile corruption bug (ever wonder where
these chars with empty titles came from?:)
Watch this log: (My comments are marked with //)

Start logging: 24.06.1999 10:48 by Krys

Welcome to CircleMUD!
0) Exit from CircleMUD.
1) Enter the game.
2) Enter description.
3) Read the background story.
4) Change password.
5) Delete this character.

   Make your choice: 1

Welcome to the land of CircleMUD!  May your visit here be... Interesting.

The Temple Of Midgaard
[...]

> who
Players
-------
[ 2 Mu] Krys the Apprentice of Magic

One lonely character displayed.

> quit
Goodbye, friend.. Come back soon!

Welcome to CircleMUD!
0) Exit from CircleMUD.
1) Enter the game.
2) Enter description.
3) Read the background story.
4) Change password.
5) Delete this character.

   Make your choice: 2
Old description:
Enter the new text you'd like others to see when they look at you.
Terminate with a '@' on a new line.
// The following text is one line:
] zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Line too long.  Truncated to:
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
String too long - Truncated.

Welcome to CircleMUD!
0) Exit from CircleMUD.
1) Enter the game.
2) Enter description.
3) Read the background story.
4) Change password.
5) Delete this character.

   Make your choice: 1

Welcome to the land of CircleMUD!  May your visit here be... Interesting.

The Temple Of Midgaard
[...]

> who
Players
-------
[ 2 Mu] Krys


One lonely character displayed.

>

// Where is my title? :)

The bug is in modify.c, string_add():
===
    if (strlen(str) > d->max_str) {
      send_to_char("String too long - Truncated.\r\n",
     d->character);
      *(str + d->max_str) = '\0';
      terminator = 1;
    }
    CREATE(*d->str, char, strlen(str) + 3);
    strcpy(*d->str, str);
===
I.e. if max_str is EXDESCR_LENGTH == 240, then string_add will create
string that is EXDESCR_LENGTH + 3 symbols long. :(
Strcpy in store_to_char will overwrite player's title by these 3 symbols of
player's description.
The fix is (mailer code, I didn't tested it):
===
/* Add user input to the 'current' string (as defined by d->str) */
void string_add(struct descriptor_data *d, char *str)
{
  int terminator;

  /* determine if this is the terminal string, and truncate if so */
  /* changed to only accept '@' at the beginning of line - J. Elson 1/17/94
*/

  delete_doubledollar(str);

  if ((terminator = (*str == '@')))
    *str = '\0';

  smash_tilde(str);

  if (!(*d->str)) {
-   if (strlen(str) > d->max_str) {
+   if (strlen(str) > d->max_str - 3) { /* Zmey: Reserve space for \r\n\0 */
      send_to_char("String too long - Truncated.\r\n",
     d->character);
-     *(str + d->max_str) = '\0';
+     *(str + d->max_str - 3) = '\0';
      terminator = 1;
+     /* What do you think about adding "strcat(str, "\r\n")" here? */
+     /* With current setup, auto-truncated string has no cr-lf */
    }
    CREATE(*d->str, char, strlen(str) + 3);
    strcpy(*d->str, str);
  } else {
-   if (strlen(str) + strlen(*d->str) > d->max_str) {
+   if (strlen(str) + strlen(*d->str) > d->max_str - 3) {
      send_to_char("String too long.  Last line skipped.\r\n",
d->character);
      terminator = 1;
    } else {
      if (!(*d->str = (char *) realloc(*d->str, strlen(*d->str) +
           strlen(str) + 3))) {
        perror("SYSERR: string_add");
        exit(1);
      }
      strcat(*d->str, str);
    }
  }
[...]
===

There is the same problem with Oasis OLC advanced text editor.

Zmey // 3MoonsWorld (rmud.net.ru:4000)


     +------------------------------------------------------------+
     | Ensure that you have read the CircleMUD Mailing List FAQ:  |
     |  http://qsilver.queensu.ca/~fletchra/Circle/list-faq.html  |
     +------------------------------------------------------------+

Next message: Nocturnal Occulto: "Re: Overflow in editor in Circlemud patch 15/And oneinOasis olc2.0"
Previous message: Tony Robbins: "Re: Circle History Lesson"
Next in thread: George Greer: "Re: [CODE] Buffer overflow / pfile corruption bug"
Maybe reply: George Greer: "Re: [CODE] Buffer overflow / pfile corruption bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : 12/15/00 PST