qf/newtree
0
0
Fork 0
mirror of https://git.code.sf.net/p/quake/newtree synced 2024-11-22 20:21:38 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix a nasty buffer overflow giving a potential remote access to the system via

Browse source 
the client. Could be especially nasty if the client is running as root and
stuffcmds can come from anywhere. exploit details:

stuffcmds rcon_password <long password>
stuffcmds rcon <long command>
This commit is contained in:
Bill Currie 2000-10-16 03:18:37 +00:00
parent e60ae3b48c
commit 8e7499cb1b
1 changed files with 9 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
source/cl_main.c
View file

@ -370,29 +370,17 @@ void CL_Rcon_f (void)
char message[1024];
int i;
netadr_t to;
int len;
if (!rcon_password->string)
{
Con_Printf ("You must set 'rcon_password' before\n"
"issuing an rcon command.\n");
return;
}
snprintf (message, sizeof (message), "\377\377\377\377rcon %s ",
rcon_password->string);
len = strlen (message);
message[0] = 255;
message[1] = 255;
message[2] = 255;
message[3] = 255;
message[4] = 0;
strcat (message, "rcon ");
strcat (message, rcon_password->string);
strcat (message, " ");
for (i=1 ; i<Cmd_Argc() ; i++)
{
strcat (message, Cmd_Argv(i));
strcat (message, " ");
for (i=1 ; i<Cmd_Argc() ; i++) {
strncat (message, Cmd_Argv(i), sizeof (message) - len - 1);
len += strlen (Cmd_Argv(i));
strncat (message, " ", sizeof (message) - len - 1);
len += strlen (" ");
}
if (cls.state >= ca_connected)