InfoSect's Month of Pointless Bugs (#24)
InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.
Bug #24
In the omega-rpg game:
void player_dump( void )
{
FILE *dumpfile;
char dump_name[ 32 ];
/* build player dump file name as "charactername.txt" */
strncpy( dump_name, Player.name, 27 );
strcat( dump_name, ".txt" );
Bug #24
In the omega-rpg game:
void player_dump( void )
{
FILE *dumpfile;
char dump_name[ 32 ];
/* build player dump file name as "charactername.txt" */
strncpy( dump_name, Player.name, 27 );
strcat( dump_name, ".txt" );
strncpy is not guaranteed to NUL terminate. This might lead to a buffer overflow in the proceeding strcat.