InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.
Bug #11
In the lbreakout2 game, the server send a zero length string ("\0") representing the channel name during a MSG_SET_CHANNEL request, the client leads to an out of bounds read. Not a useful out of bounds read, but an out of bounds read nevertheless.
client/client_recv.c
case MSG_SET_CHANNEL:
{
/* we only need to update the name */
char *s = msg_read_string();
gui_label_set_text( label_channel, s);
handled = 1;
}
break;
/* challenge */
gui/gui_label.c
void gui_label_set_text( GuiWidget *widget, char *format, ... )
{
...
text = text_create( widget->spec.label.text,
(widget->screen_region.w - 2 * widget->border) /
widget->spec.label.font->width );
static LabelText* text_create( char *orig_str, int char_width )
{
int i, j;
char line[256]; /* a line should not exceed this length */
int pos;
int last_space;
int new_line;
LabelText *text = 0;
char *str = 0;
text = calloc ( 1, sizeof( LabelText ) );
/* maybe orig_str is a constant expression; duplicate for safety */
str = strdup( orig_str );
...
if ( char_width > 0 ) {
for ( i = 0; i < strlen( str ); i++ )
if ( str[i] == 10 )
text->count++;
/* maybe one unfinished line */
if ( str[strlen( str ) - 1] != 10 )
The above indexes str[-1] which is our out of bounds read.
text->count++;
}
