fix some nasty security holes causes by oversized connection strings. slows

down overkill slightly :/
2024-11-10 15:22:04 +00:00 · 2001-12-03 21:06:57 +00:00 · 2001-12-03 21:06:57 +00:00 · 650d682d2c
commit 650d682d2c
parent 20690b71e0
4 changed files with 43 additions and 22 deletions
--- a/include/QF/cmd.h
+++ b/include/QF/cmd.h
@ -144,8 +144,7 @@ void Cmd_StuffCmds_f (void);
 void Cbuf_Execute_Sets (void);
 void Cmd_Exec_File (const char *path);

-#define		MAX_COM_TOKEN	1024
-extern char		com_token[MAX_COM_TOKEN];
+extern char	*com_token;
 const char *COM_Parse (const char *data);

 void Cmd_ParseSpecial (char *s);
--- a/libs/util/cmd.c
+++ b/libs/util/cmd.c
@ -477,8 +477,18 @@ Cmd_Args (int start)
 void
 Cmd_TokenizeString (const char *text)
 {
-	static char argv_buf[1024];
+	static char *argv_buf;
+	static size_t argv_buf_size;
 	int         argv_idx;
+	size_t         len = strlen (text) + 1;
+
+	if (len > argv_buf_size) {
+		argv_buf_size = (len + 1023) & ~1023;
+		argv_buf = realloc (argv_buf, argv_buf_size);
+		if (!argv_buf)
+			Sys_Error ("Cmd_TokenizeString: could not allocate %d bytes",
+					   argv_buf_size);
+	}

 	argv_idx = 0;

@ -508,10 +518,6 @@ Cmd_TokenizeString (const char *text)
 			return;

 		if (cmd_argc < MAX_ARGS) {
-			if (argv_idx + strlen (com_token) + 1 > MAX_COM_TOKEN) {
-				Sys_Printf ("Cmd_TokenizeString: overflow\n");
-				return;
-			}
 			cmd_argv[cmd_argc] = argv_buf + argv_idx;
 			strcpy (cmd_argv[cmd_argc], com_token);
 			argv_idx += strlen (com_token) + 1;
@ -1024,7 +1030,24 @@ Cmd_Init (void)
 							"the documentation for details.");
 }

-char        com_token[MAX_COM_TOKEN];
+char        *com_token;
+static size_t com_token_size;
+
+static inline void
+write_com_token (size_t pos, char c)
+{
+	if (pos + 1 <= com_token_size) {
+write:
+		com_token[pos] = c;
+		return;
+	}
+	com_token_size = (pos + 1024) & ~1023;
+	com_token = realloc (com_token, com_token_size);
+	if (!com_token)
+		Sys_Error ("COM_Parse: could not allocate %d bytes",
+				   com_token_size);
+	goto write;
+}

 /*
 	COM_Parse
@ -1032,13 +1055,13 @@ char        com_token[MAX_COM_TOKEN];
 	Parse a token out of a string
 */
 const char       *
-COM_Parse (const char *data)
+COM_Parse (const char *_data)
 {
+	const byte *data = (const byte *)_data;
 	unsigned int c;
-	int         len;
+	size_t      len = 0;

-	len = 0;
-	com_token[0] = 0;
+	write_com_token (len, 0);

 	if (!data)
 		return NULL;
@ -1064,25 +1087,23 @@ skipwhite:
 		while (1) {
 			c = *data++;
 			if (c == '\"' || !c) {
-				com_token[len] = 0;
-				return data;
+				write_com_token (len, 0);
+				return c ? data : data - 1;
 			}
-			com_token[len] = c;
+			write_com_token (len, c);
 			len++;
 		}
 	}
 	// parse a regular word
 	do {
-		com_token[len] = c;
+		write_com_token (len, c);
 		data++;
 		len++;
-		if (len >= MAX_COM_TOKEN - 1)
-			break;

 		c = *data;
 	} while (c > 32);

-	com_token[len] = 0;
+	write_com_token (len, 0);
 	return data;
 }

--- a/libs/util/string.c
+++ b/libs/util/string.c
@ -63,6 +63,6 @@ size_t
 Q_strnlen (const char *s, size_t maxlen)
 {
 	size_t i;
-	for (i = 0; s[i] && i < maxlen; i++);
+	for (i = 0; i < maxlen && s[i]; i++);
 	return i;
 }
--- a/qw/source/sv_main.c
+++ b/qw/source/sv_main.c
@ -682,7 +682,7 @@ SVC_GetChallenge (void)
 void
 SVC_DirectConnect (void)
 {
-	info_t     *userinfo;
+	info_t     *userinfo = 0;
 	const char *s;
 	client_t   *cl, *newcl;
 	client_t    temp;
@ -707,7 +707,8 @@ SVC_DirectConnect (void)

 	challenge = atoi (Cmd_Argv (3));

-	userinfo = Info_ParseString (Cmd_Argv (4), 1023);
+	if (strlen (Cmd_Argv (4)) < MAX_INFO_STRING)
+		userinfo = Info_ParseString (Cmd_Argv (4), 1023);

 	// Validate the userinfo string.
 	if (!userinfo) {