Hi, "Gabriel A. Maggiotti" wrote: > Unreal3.1.1 has a format string vuln in Cio_PrintF(...) function. > This function is in /src/cio_main.c file > > Piece of code: > > va_start(argptr, InBuf); > Len = vsprintf(Buffer, InBuf, argptr); > va_end(argptr); > > The problem is with InBuf, if %p.%p.%p.%n is written in InBuf a segfault > is produced, the program crashes when it tries to copy the value of eax > to the address of edx. Are you talking about: BOOL Cio_PrintF(HWND hWnd, char *InBuf, ...) { [..] va_start(argptr, InBuf); Len = vsprintf(Buffer, InBuf, argptr); va_end(argptr); ?? Then I think you are wrong because it's the purpose of that function (see glibc documentation for example for va_* stuff). Ofcourse if the function Cio_PrintF is called with user input in InBuf we have a problem. BTW I've never seen that function before and I don't see it used anywere but I might be wrong (I never look at the windows part of the UnrealIrcd source). Please use Unreal3.2 (beta6 currently) instead, Unreal3.1.2 has some serious bugs. Bram Matthys (1% UnrealIrcd coder) PS: Please report bugs to codersat_private
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 02:21:21 PST