InfoSect's Month of Pointless Bugs (#23)
InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.
Bug #23
This is another small bug in the lbreakout2 network game server. The name string may not be NUL terminated after the strncpy.
static void parse_packet_channel( ServerUser *user, ServerChannel *channel )
{
int id;
unsigned char type;
char name[16];
ServerUser *recv;
ServerGameCtx ctx;
ServerChannel *newchannel;
...
case MSG_ENTER_CHANNEL:
strncpy(name,msg_read_string(),16);
if ( strchr( name, ' ' ) ) {
sprintf( errbuf, _("Channel name must not contain blanks!") );
send_info( user, MSG_ERROR, errbuf );
break;
}
Bug #23
This is another small bug in the lbreakout2 network game server. The name string may not be NUL terminated after the strncpy.
static void parse_packet_channel( ServerUser *user, ServerChannel *channel )
{
int id;
unsigned char type;
char name[16];
ServerUser *recv;
ServerGameCtx ctx;
ServerChannel *newchannel;
...
case MSG_ENTER_CHANNEL:
strncpy(name,msg_read_string(),16);
if ( strchr( name, ' ' ) ) {
sprintf( errbuf, _("Channel name must not contain blanks!") );
send_info( user, MSG_ERROR, errbuf );
break;
}