Document buffer overrun for long land paths

BestLandPath(), BestDistPath() and best_path() are unsafe by design:
they take a path[] argument without a size, and blindly assume there's
enough space.  When that's wrong, bp_path() overruns the caller's
buffer.

move_ground() and assemble_dist_paths() provide space for 512
characters.  best(), dist(), path(), att_reacting_units(), s_commod()
and do_unit_move() provide space for 1024 characters.

A malicious player can arrange paths longer than that, but it takes a
lot of land.

BestAirPath() and BestShipPath() also take a path[] argument without a
size, but they're actually safe: bestownedpath() writes at most 100
(MAXROUTE) characters, perform_mission_bomb() provides space for 512,
sorde(), getpath(), do_unit_move() and nav_ship() for 1024.

diff --git a/src/lib/common/path.c b/src/lib/common/path.c
index c0344d13e33a8cfda3613b75f8f97fdb71a20903..6313a6174245f5010bcf0706de115b41cedef169 100644 (file)
--- a/src/lib/common/path.c
+++ b/src/lib/common/path.c
@@ -91,6 +91,8 @@ bp_init(void)
 /*
  * Find the best path from sector to to sector, and put the Empire movement
  * string in path.  Return 0 on success, -1 on error.
 /*
  * Find the best path from sector to to sector, and put the Empire movement
  * string in path.  Return 0 on success, -1 on error.

+ * FIXME unsafe by design: assumes path[] has space; buffer overrun
+ * when path gets long!

  */
 static int
 best_path(struct sctstr *from, struct sctstr *to, char *path, int mob_type)
  */
 static int
 best_path(struct sctstr *from, struct sctstr *to, char *path, int mob_type)