On Sat, Feb 08, 2003 at 11:18:49PM -0800, tsao_4sh0@hushmail.com wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > ################################################### > > /usr/games/lib/nethackdir/nethack - LOCALLY EXPLOITABLE BUFFER > > try th1s: nethack -s `perl -e "print 'A' x 1000"` Here is a bandaid that I just committed to the FreeBSD Ports Collection and also submitted to the NetHack developers. I say 'bandaid', because there might be a lot of other strcat() weirdnesses in the NetHack source :( The patch is also available at http://people.FreeBSD.org/~roam/devel/nethack/topten.c.patch G'luck, Peter -- Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I've heard that this sentence is a rumor. --- src/topten.c Thu Mar 21 01:43:19 2002 +++ src/topten.c Tue Feb 11 15:36:23 2003 @@ -855,8 +855,15 @@ if (playerct < 1) Strcat(pbuf, "you."); else { if (playerct > 1) Strcat(pbuf, "any of "); - for (i = 0; i < playerct; i++) { - Strcat(pbuf, players[i]); + for (i = 0; i < playerct && strlen(pbuf) < sizeof(pbuf) - 2; + i++) { + size_t len = strlen(pbuf), rest; + if (strlen(players[i]) > sizeof(pbuf) - len - 2) { + rest = sizeof(pbuf) - strlen(pbuf) - 2; + memcpy(pbuf + len, players[i], rest); + pbuf[len + rest] = '\0'; + } else + Strcat(pbuf, players[i]); if (i < playerct-1) { if (players[i][0] == '-' && index("pr", players[i][1]) && players[i][2] == 0)
Attachment:
pgp00292.pgp
Description: PGP signature
