While documenting the FICS (free internet chess server) protocol for purposes of an alternative to the xboard program, I encountered what looks to be a potential for attack. This vulnerability has been verified by one of the largest fics based systems, chess.net <http://www.chess.net>. The problem involves unchecked user input to a fixed length string. Non-denial of services exploitation of the questionable code looks possible but not trivial, as there is not room in the buffer for shell code, but putting it elsewhere is certainly a possibility. I have written a patch that resolves the problem, in some fashion. ------------------------------------------------------------------------------- --- gameproc.c Tue Nov 16 13:52:31 1999 +++ gameproc.1.c Sat Nov 20 19:45:08 1999 @@ -24,6 +24,7 @@ Second is obsproc.c. DAV 96/7/1 Added avail stuff */ +/* canulat_private com_boards buffer overflow fix */ #include "stdinclude.h" @@ -1445,6 +1446,16 @@ if (param[0].type == TYPE_WORD) category = param[0].val.word; + +#ifndef CATEGORY_LIMIT +# define CATEGORY_LIMIT 100 +#endif + if (strlen(category) > CATEGORY_LIMIT) + { + pprintf(p, "That category exceeds the string limit\n"); + return COM_OK; + } + if (category) { pprintf(p, "Boards Available For Category %s:\n", category); sprintf(dname, "%s/%s", board_dir, category);
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:47 PDT