On successful execute, servercmd() sets @input_fd to the batch file
descriptor. Return the file descriptor instead, and let its caller
recv_output() set @input_fd. This permits giving @input_fd static
linkage.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
recv_input(input_fd, &inbuf) returns zero when @inbuf is full or
@input_fd is at EOF. We avoid the former by putting @input_fd in
@rdfd only when @inbuf has space, so we can detect EOF easily. But we
missed the case where adding a cookie fills up @inbuf. We
misinterpret "can't read into full buffer" as "EOF on input" then.
Fix by checking for space again.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
The client can send an interrupt cookie after the EOF cookie.
Harmless, as the server throws away input after the EOF cookie. Clean
it up anyway.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
We increment @send_eof only when read() returns zero, and we read()
only when it's zero. Therefore, we never increment it beyond one.
Change it from counter to flag.
This effectively reverts commit 51846ec (v4.3.11). Possible only
because the previous commit got rid of the @send_eof increment on
failed execute.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
The server doesn't currently care for the difference, but interrupt is
more accurate than EOF. The change also enables the next commit.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
recv_input() passes full lines to save_input(). Pass characters
instead. Simpler, and doesn't truncate long lines.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
To protect against a rogue server reading your files, the client
honors C_EXECUTE only when it matches recent player input.
This has a somewhat troubled history, detailed in the previous commit.
The remaining major issue comes from commit 8b7d0b9 (v4.3.11): any
suffix of a recent line of input is accepted as C_EXECUTE text.
Before, only text that looked like an argument of an execute command
or a redirection was accepted.
Fix by again requiring the text to be preceded by something that looks
like an execute command. But do it more carefully: don't break
execute with a prompted for argument, and prevent abuse of
redirections for execute.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Redirections let the server write files and run pipelines, and execute
lets it read files.
Before 4.2.0, the client simply trusted the server. 4.2.0 added
fairly complex code to recognize redirections and execute, replace the
filenames and pipelines by tag strings, remember tag string and
replaced text, and honor redirection and execute only when their text
is a known tag string. Tag and replaced text were freed on use.
Broken by design because the client cannot know whether a line will
actually be read as a command by the server. Issues included:
(1) Non-command lines could be messed up.
(2) The memory used for remembering their tags was never freed.
(3) execute prompting for its argument was incorrectly rejected.
(4) A rogue server could use a tag for the wrong purpose. For
instance, "execute fire" creates a tag for "fire", which a rogue
server could use for a pipeline to command "ire".
4.2.10 dropped the tag strings, and used the actual text as key. This
took care of (1).
Commit 17d6997 and commit 2456a71 (both v4.3.11) tightened checking of
redirections, which took care of (4) for redirections, but not
execute. Relatively harmless, because redirection text always starts
with '>' or '|', but filenames rarely do.
Commit 8b7d0b9 (v4.3.11) replaced the protection code wholesale.
Instead of attempting to recognize redirections and execute, we now
save everything in a ring buffer, and require redirections and execute
to match at a line end in the ring buffer. Much simpler, takes care
of issues (2) and (3), but adds new issues:
(5) When sent-ahead input exceeds the ring buffer, good redirections
and executes get rejected. Could be avoided by limiting send-ahead,
or remembering input until its output arrives. However, bogus
rejections haven't been a problem in practice even with a tiny 4KiB
ring buffer.
(6) The protection against rogue execute is *much* weaker, because we
now accept any line suffix. Before, we accepted any tag,
i.e. anything that looks like a redirection or an execute command.
(7) When we find a match in the ring buffer, we used to drop
everything up to that line right away. This broke redirected execute
commands. Commit 02a9af0 (v4.3.11) fixed it by delaying the drop
until the next prompt, but that's overly complicated.
This commit addresses (7): don't drop on use, simply let new input
push old input out of the ring buffer.
The next commit will address (6) and the remainder of (4).
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Use a "Warning: " prefix for server output violating the protocol and
for rogue redirections and executes. Don't shout "WARNING!"
In redir_authorized(), check for server issues (conflicting
redirections, rogue redirections and executes) before enforcing
restrictions (restricted mode, executing batch file), so server issues
aren't masked.
Surprisingly, popen() may not set errno on failure. Avoid reporting a
bogus errno in dopipe().
doexecute() complains about an "execute file". We call that a "batch
file" elsewhere. Reword for consistency.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Peeking beyond either end of the ring buffer must return EOF. We
first compute the index, then check whether it's in range.
Unfortunately, the index computation r->prod - -n can wrap around
while r->prod is still <= RING_SIZE. If it happens, ring_peek()
returns r->buf[(r->prod - -n) % RING_SIZE] instead of EOF.
Currently harmless, because no caller peeks out of range.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
quiet_bigdef() runs for each attacker. It lets each eligible defender
fire at most once. The first time a defender is eligible, it fires
and is saved in the list of defenders, along with its firing damage.
If it's eligible again for a later attacker, it's found in the list of
defenders, and the damage is reused. The list of defenders searched
with search_flist(). Unfortunately, search_flist() compares only uid,
not type, and therefore can return a previously found defender of
another type.
If there are multiple attackers and multiple defenders with the same
uid, total damage can be off, damage can be spread to attackers out of
range, and defenders may not be charged shells. Abuse is possible,
but complicated to set up, and probably not worth the trouble.
Broken in commit f89edc7, v4.3.12. Fix by comparing the type as well.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
The "loaded on ship" condition was useless from the start (v4.2.0).
The "loaded on land" condition became useless in commit 45d090b,
v4.3.28.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
When the player aborts the command at the movement prompt, we write
back stale ships or land units, triggering a generation oops. Any
updates made by other threads meanwhile are wiped out, triggering a
seqno mismatch oops.
Broken in commit 24000b4, v4.3.33. Fix by restoring the lost
shp_nav_stay_behind() and lnd_mar_stay_behind() calls.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
When the player declines to abandon a sector, we write back stale land
units, triggering a generation oops. Any updates made by other
threads meanwhile are wiped out, triggering a seqno mismatch oops.
The culprit is lnd_abandon_askyn(): when the player declines, it
returns without calling check_sect_ok(), check_land_ok(). Broken in
commit 7c1b166, v4.3.33. Fix it.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
recvclient() calls ef_make_stale() only when it does actual I/O, via
io_output() and io_input(). Missed in commit 2fa5f652, v4.3.24. Call
it directly when it doesn't do actual I/O.
This makes navi-march-test expose a bug in march: when the player
declines to abandon a sector, we write back stale land units,
triggering a generation oops.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
When the player aborts the command at the movement prompt, or declines
to abandon a sector, unit_move() returns without freeing the list.
Found with valgrind. Broken in commit 24000b4 and commit 7c1b166,
both v4.3.33.
Free the list on these returns, too.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
shp_nav_gauntlet() and lnd_mar_gauntlet() read beyond the list head
when the list is empty. The values read aren't used then. Could
conceivably crash the server anyway, but it's unlikely.
Empty list happens when shp_nav_dir(), lnd_mar_dir() empty the list
and return zero. Broken in commit beedf8d, v4.3.33. Occurs in
navi-march-test (since the last commit) and in retreat-test.
Change shp_nav_dir() and lnd_mar_dir() to return one then. For
additional safety, make shp_nav_gauntlet() and lnd_mar_gauntlet() oops
on empty list and recover safely.
I think I originally found this bug with -fsanitize, but I've since
upgraded, and I can't diagnose it that way anymore.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
The code computing the length of the flight path checks whether the
path ends with 'h'. When getpath() returns an empty path, it accesses
flightpath[-1]. This could set the length to -1 (unlikely), or crash
(even less likely). The former could be abused to gain mobility for
sufficiently inefficient or short-ranged planes. Found with valgrind.
Broken in commit 404a76f7, v4.3.27.
Historically, getpath() could return paths with or without 'h', and
the check was necessary. It returned an empty path only when the
player gave no input, aborting the command. When the player entered
the assembly point's coordinates, it returned "h".
Commit 404a76f7 accidentally changed it to return "" then. Also broke
flying to the assembly point's coordinates. Commit 0f1e14f (v4.3.31)
fixed that part by changing getpath()'s contract: always return paths
without 'h' ("" simply means empty path), and return NULL on invalid
input, including no input.
The flawed check is superfluous since then. Drop it.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
There's just one, in show_product().
Use new BUILD_ASSERT() there, because its contract is even simpler
than BUILD_ASSERT_ONE()'s.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
We've always squashed them when the time difference is smaller than
TEL_SECONDS, regardless of sign. This involves passing the difference
to abs(), implicitly casting from time_t to int, which triggers a
Clang warning.
I could clean this up to get rid of the warning, but time should never
go backwards, and trying to make things prettier when it does isn't
worthwhile. Simply drop the abs().
While there, drop the function comment. It's been inaccurate since
Empire 3 dropped mail.c, and bogus since commit 17223e8 (v4.3.29)
added tel_cont.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
... when referring to a function's parameter or a struct/union's
member.
The idea of using FOO comes from the GNU coding standards:
The comment on a function is much clearer if you use the argument
names to speak about the argument values. The variable name
itself should be lower case, but write it in upper case when you
are speaking about the value rather than the variable itself.
Thus, "the inode number NODE_NUM" rather than "an inode".
Upcasing names is problematic for a case-sensitive language like C,
because it can create ambiguity. Moreover, it's too much shouting for
my taste.
GTK-Doc's convention to prefix the identifier with @ makes references
to variables stand out nicely. The rest of the GTK-Doc conventions
make no sense for us, however.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Using ctime() as pr()'s first argument is safe, because its value
never contains '%'. Clean it up anyway, so we can enable
-Wformat-security.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
This reverts commit f4d8d64bb3.
Breaks retreat after ship got sunk by bombs or missile.
ship_bomb() and launch_missile() pass .shp_own to retreat_ship().
Wrong after putship(), because putship() resets the owner when the
ship got sunk. retreat_ship() then oopses and fails to retreat the
surviving members of the group.
Other callers save the owner before putting the ship, and pass that.
We could change these two to do the same. But since we're trying to
get a release out, simply revert the broken commit instead.
The __UNCONST() stolen from NetBSD assumes unsigned long can hold a
pointer. Not true with Win64's LLP64 data model. There, we cast the
64 bit pointer to 32 bits and back. Works only because Windows puts
the stack at a very low address, and the casts don't actually change
the pointer.
Dumb it down to a straight cast to void * for safety.
Thanks to Harald Katzer and Ron Koenderink for their help figuring out
the bug's impact.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Redirections and the execute command let the user read and write files
and run programs on the local system.
Restricted mode prevents such access. This is useful when you want to
grant somebody access to just Empire, but not to the host system's
user account that runs the client.
Signed-off-by: Marisa Giancarla <fstltna@me.com>
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
sector_can_build() computes mat[i] * (effic / 100.0). The division is
inexact. The result gets randomly rounded, so errors are vanishingly
unlikely to screw up material consumption.
However, we require the amount rounded up to be present since commit
1227d2c. Errors *can* screw that up. Fix by avoiding inexact
computation for that part.
We should probably review rounding of inexact values in general.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
We run "git ls-files" in the build tree. Doesn't work when the source
directory isn't a git repository, or the build directory is outside
the source directory. Broken in commit 71cb2d8.
Find source files like Make.mk does: if the source tree is a git
repository, use git ls-files, else use sources.mk.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Deprecated in commit 28d4847: no space between 'm' and its first
argument. Affects explore, move, test, transport.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
Deprecated in commit a00f9e2: 'r' with flags, and bad flags after 't'.
Affects flags argument of bmap, sbmap, pbmap, lbmap, nbmap, and
navigate and march sub-command 'B'.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
emp_config() silently truncates WORLD_X to even. Drop that. We could
flag odd WORLD_X as error, but we don't validate the other
configuration values, so why this one? Instead document it needs to
be even. WORLD_Y, too.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
A plane with capability missile must have capability VTOL. When it's
missing, global_init() silently adds it.
Drop that. Check for it in ef_verify_config() instead.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
A ship with non-zero nplanes must have capability plane or miss. When
one doesn't, global_init() silently adds capability miss.
Drop that. Check for it in ef_verify_config() instead. Fix up
ship.config accordingly.
Signed-off-by: Markus Armbruster <armbru@pond.sub.org>
