From: Markus Armbruster <armbru@pond.sub.org>
Date: Sun, 20 Mar 2011 09:06:33 +0000 (+0100)
Subject: Document buffer overrun for long land paths
X-Git-Tag: v4.3.27~101
X-Git-Url: http://git.pond.sub.org/?p=empserver;a=commitdiff_plain;h=e30dc41717b915c3e6a78384e91c7c4706a27f65

Document buffer overrun for long land paths

BestLandPath(), BestDistPath() and best_path() are unsafe by design:
they take a path[] argument without a size, and blindly assume there's
enough space.  When that's wrong, bp_path() overruns the caller's
buffer.

move_ground() and assemble_dist_paths() provide space for 512
characters.  best(), dist(), path(), att_reacting_units(), s_commod()
and do_unit_move() provide space for 1024 characters.

A malicious player can arrange paths longer than that, but it takes a
lot of land.

BestAirPath() and BestShipPath() also take a path[] argument without a
size, but they're actually safe: bestownedpath() writes at most 100
(MAXROUTE) characters, perform_mission_bomb() provides space for 512,
sorde(), getpath(), do_unit_move() and nav_ship() for 1024.
---

diff --git a/src/lib/common/path.c b/src/lib/common/path.c
index c0344d13e..6313a6174 100644
--- a/src/lib/common/path.c
+++ b/src/lib/common/path.c
@@ -91,6 +91,8 @@ bp_init(void)
 /*
  * Find the best path from sector to to sector, and put the Empire movement
  * string in path.  Return 0 on success, -1 on error.
+ * FIXME unsafe by design: assumes path[] has space; buffer overrun
+ * when path gets long!
  */
 static int
 best_path(struct sctstr *from, struct sctstr *to, char *path, int mob_type)