fix buffer overflow vulnerability in NetGenFunc

diff --git a/README b/README
index 9420e208f9b917ddbcf1cbdd2c257ea1b2244441..9b1886a11d91ac3c7456ecd7a517cfa591e3fe63 100644 (file)
--- a/README
+++ b/README
@@ -51,6 +51,12 @@ how it goes, and send me diffs if needed!
 See the FAQ in this directory if you have any problems.
 
 
 See the FAQ in this directory if you have any problems.
 
 

+FIXED IN VERSION 0.52
+=====================
+Fixed a buffer overflow vulnerability discovered by
+Artur Byszko / bajkero <bajkero@security.hack.pl>
+
+

 NEW IN VERSION 0.5
 ==================
 Netris now specifically looks for ncurses and uses color if it's
 NEW IN VERSION 0.5
 ==================
 Netris now specifically looks for ncurses and uses color if it's

diff --git a/inet.c b/inet.c
index dbfe7484f0d8b9bb2a65f956ce9afc7e9d979bb5..a8d9a9d9149c9b67e3c05516d1b040f970cad8f1 100644 (file)
--- a/inet.c
+++ b/inet.c
@@ -151,6 +151,9 @@ static MyEventType NetGenFunc(EventGenRec *gen, MyEvent *event)
        memcpy(data, netBuf, sizeof(data));
        type = ntoh2(data[0]);
        size = ntoh2(data[1]);
        memcpy(data, netBuf, sizeof(data));
        type = ntoh2(data[0]);
        size = ntoh2(data[1]);

+       if (size >= sizeof(netBuf))
+               fatal("Received an invalid packet (too large), possibly an attempt\n"
+                         "  to exploit a vulnerability in versions before 0.52 !");

        netBufGoal = size;
        if (netBufSize < netBufGoal)
                return E_none;
        netBufGoal = size;
        if (netBufSize < netBufGoal)
                return E_none;