fix buffer overflow vulnerability in NetGenFunc

author Artur Byszko <bajkero@security.hack.pl>

Wed, 13 Aug 2003 01:33:02 +0000 (01:33 +0000)

committer Mischa POSLAWSKY <netris@shiar.org>

Mon, 16 Mar 2009 17:30:17 +0000 (18:30 +0100)
author Artur Byszko <bajkero@security.hack.pl>
Wed, 13 Aug 2003 01:33:02 +0000 (01:33 +0000)
committer Mischa POSLAWSKY <netris@shiar.org>
Mon, 16 Mar 2009 17:30:17 +0000 (18:30 +0100)
diff --git a/README b/README

index 9420e208f9b917ddbcf1cbdd2c257ea1b2244441..9b1886a11d91ac3c7456ecd7a517cfa591e3fe63 100644 (file)
--- a/README
+++ b/README
@@ -51,6 +51,12 @@ how it goes, and send me diffs if needed!
  See the FAQ in this directory if you have any problems.
  
  
+FIXED IN VERSION 0.52
+=====================
+Fixed a buffer overflow vulnerability discovered by
+Artur Byszko / bajkero <bajkero@security.hack.pl>
+
+
  NEW IN VERSION 0.5
  ==================
  Netris now specifically looks for ncurses and uses color if it's
diff --git a/inet.c b/inet.c

index dbfe7484f0d8b9bb2a65f956ce9afc7e9d979bb5..a8d9a9d9149c9b67e3c05516d1b040f970cad8f1 100644 (file)
--- a/inet.c
+++ b/inet.c
@@ -151,6 +151,9 @@ static MyEventType NetGenFunc(EventGenRec *gen, MyEvent *event)
         memcpy(data, netBuf, sizeof(data));
         type = ntoh2(data[0]);
         size = ntoh2(data[1]);
+       if (size >= sizeof(netBuf))
+               fatal("Received an invalid packet (too large), possibly an attempt\n"
+                         "  to exploit a vulnerability in versions before 0.52 !");
         netBufGoal = size;
         if (netBufSize < netBufGoal)
                 return E_none;
author	Artur Byszko <bajkero@security.hack.pl>
	Wed, 13 Aug 2003 01:33:02 +0000 (01:33 +0000)
committer	Mischa POSLAWSKY <netris@shiar.org>
	Mon, 16 Mar 2009 17:30:17 +0000 (18:30 +0100)