Document buffer overrun for long land paths
BestLandPath(), BestDistPath() and best_path() are unsafe by design: they take a path[] argument without a size, and blindly assume there's enough space. When that's wrong, bp_path() overruns the caller's buffer. move_ground() and assemble_dist_paths() provide space for 512 characters. best(), dist(), path(), att_reacting_units(), s_commod() and do_unit_move() provide space for 1024 characters. A malicious player can arrange paths longer than that, but it takes a lot of land. BestAirPath() and BestShipPath() also take a path[] argument without a size, but they're actually safe: bestownedpath() writes at most 100 (MAXROUTE) characters, perform_mission_bomb() provides space for 512, sorde(), getpath(), do_unit_move() and nav_ship() for 1024.
This commit is contained in:
parent
5333782046
commit
e30dc41717
1 changed files with 2 additions and 0 deletions
|
|
@ -91,6 +91,8 @@ bp_init(void)
|
||||||
/*
|
/*
|
||||||
* Find the best path from sector to to sector, and put the Empire movement
|
* Find the best path from sector to to sector, and put the Empire movement
|
||||||
* string in path. Return 0 on success, -1 on error.
|
* string in path. Return 0 on success, -1 on error.
|
||||||
|
* FIXME unsafe by design: assumes path[] has space; buffer overrun
|
||||||
|
* when path gets long!
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
best_path(struct sctstr *from, struct sctstr *to, char *path, int mob_type)
|
best_path(struct sctstr *from, struct sctstr *to, char *path, int mob_type)
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue