git.pond.sub.org Git - empserver/commit

author	Markus Armbruster <armbru@pond.sub.org>
	Mon, 27 Jan 2014 16:52:32 +0000 (17:52 +0100)
committer	Markus Armbruster <armbru@pond.sub.org>
	Sun, 1 Feb 2015 15:52:58 +0000 (16:52 +0100)
commit	002a3a3f1e5bae8203e02c9f44d33b49f7ee0bd7
tree	da019195f190176009362d19250dbdaf9837f895	tree \| snapshot
parent	47ccc40e38ca016f5040812f2ef1cea4a6de56bb	commit \| diff

xundump: Refuse to undump strings too long for terminating null

We're dealing with three kinds of string storage: char * pointing to a
null-terminated string, char[] holding a null-terminated string, and
char holding a string of length 0 or 1.

Unfortunately, xdump meta data doesn't distinguish the latter two:
both are NSC_STRINGY.  Because of that, xundump happily fills char[]
to the limit, producing strings that aren't null-terminated, resulting
in read beyond buffer and possibly worse.

Affects struct shpstr members shp_path, shp_name, shp_rpath, struct
lndstr member lnd_rpath, and struct natstr members nat_cnam, nat_pnam,
nat_hostaddr, nat_hostname, nat_userid.  Since these are all in game
state, only the empdump utility program is affected, not the
configuration table reader.

We clearly need to require null-termination for char[] values.  Since
using char[1] for null-terminated strings makes no sense, we can still
make NSC_STRINGY with length 1 serve char values as before, by
permitting non-null-terminated strings only when length is 1.  Ugly
wart, but it fixes the bug without a possibly awkward change xdump
meta-data.

Signed-off-by: Markus Armbruster <armbru@pond.sub.org>

include/nsc.h		diff \| blob \| history
src/lib/common/xundump.c		diff \| blob \| history