Fix DoS in server #98922 by Stefan Cornelius.

Package-Manager: portage-2.0.51.22-r1
author: Mike Frysinger <vapier@gentoo.org> 2005-07-14 02:24:00 +0000
committer: Mike Frysinger <vapier@gentoo.org> 2005-07-14 02:24:00 +0000
commit: 80843826bc7badcc6add9f34832437c14660fbbc (patch)
tree: a08108873ab6db3f699b068c18062d9922f0890a /games-strategy
parent: fix building with newer flex (diff)
download: historical-80843826bc7badcc6add9f34832437c14660fbbc.tar.gz
historical-80843826bc7badcc6add9f34832437c14660fbbc.tar.bz2
historical-80843826bc7badcc6add9f34832437c14660fbbc.zip
6 files changed, 324 insertions, 5 deletions
diff --git a/games-strategy/netpanzer/ChangeLog b/games-strategy/netpanzer/ChangeLog
index e2164b07b8cc..b0f81c77d120 100644
--- a/games-strategy/netpanzer/ChangeLog
+++ b/games-strategy/netpanzer/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for games-strategy/netpanzer
 # Copyright 2000-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/games-strategy/netpanzer/ChangeLog,v 1.18 2005/07/01 17:50:00 fmccor Exp $
+# $Header: /var/cvsroot/gentoo-x86/games-strategy/netpanzer/ChangeLog,v 1.19 2005/07/14 02:24:00 vapier Exp $
+
+*netpanzer-0.8-r1 (14 Jul 2005)
+
+  14 Jul 2005; Mike Frysinger <vapier@gentoo.org>
+  +files/netpanzer-0.8-min-size-check.patch,
+  +files/netpanzer-0.8-robust.patch, +netpanzer-0.8-r1.ebuild:
+  Fix DoS in server #98922 by Stefan Cornelius.
 
   01 Jul 2005; Ferris McCormick <fmccor@gentoo.org> netpanzer-0.8.ebuild:
   Add ~sparc keyword --- Users report success running it, and it does build
diff --git a/games-strategy/netpanzer/Manifest b/games-strategy/netpanzer/Manifest
index 590c8d119d6f..e98144904952 100644
--- a/games-strategy/netpanzer/Manifest
+++ b/games-strategy/netpanzer/Manifest
@@ -3,16 +3,20 @@ Hash: SHA1
 
 MD5 00d7302016b989bd8a8f1cca48f6967b netpanzer-0.8.ebuild 1957
 MD5 f17b9b8fa07a38914fe1c03268f51678 metadata.xml 158
-MD5 71d2fec96bd64587155b6b7f64e93cad ChangeLog 3184
+MD5 c1d25b73c6d0c16bad58ceaf594297e8 netpanzer-0.8-r1.ebuild 2020
+MD5 0b214dc61d9bf3a083226965821d8bf2 ChangeLog 3424
 MD5 a254cf85014dab1f14a620fc3549355f files/netpanzer.rc 891
+MD5 616b3d065523e34fd3e0d5d8ada5d053 files/netpanzer-0.8-min-size-check.patch 1385
 MD5 52b3f20dca70a177cc63da9903b5f5fb files/physfs.patch 553
+MD5 b31fb3b6d8c97b5f87ef8a825a60db2e files/digest-netpanzer-0.8-r1 139
 MD5 31c24932718cd34666bf4e1b800772fb files/netpanzer-ded.ini 1261
 MD5 b31fb3b6d8c97b5f87ef8a825a60db2e files/digest-netpanzer-0.8 139
+MD5 c40c9070d28732d4ca56e37277e5807f files/netpanzer-0.8-robust.patch 8203
 MD5 e45870d0456ec36ed692b70fada22bb5 files/netpanzer-ded 353
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.1 (GNU/Linux)
 
-iD8DBQFC1cTPgIKl8Uu19MoRAiU3AJ9PFTETGiG3BwdaVcCXryrQdUzrWQCfeaBn
-jyISBs7516GdtpeAnwRghj8=
-=hBAi
+iD8DBQFC1c0VgIKl8Uu19MoRAs5aAJ9x+GAuyC9QE8aLr6TUxxuQV2IzGQCePQIQ
+uSAgwmU1x3Xj/f02Yx5nnsQ=
+=8myL
 -----END PGP SIGNATURE-----
diff --git a/games-strategy/netpanzer/files/digest-netpanzer-0.8-r1 b/games-strategy/netpanzer/files/digest-netpanzer-0.8-r1
new file mode 100644
index 000000000000..1f7f2a2367ef
--- /dev/null
+++ b/games-strategy/netpanzer/files/digest-netpanzer-0.8-r1
@@ -0,0 +1,2 @@
+MD5 c08c1b703eac533407db02510deca68e netpanzer-0.8.tar.bz2 382007
+MD5 d2dbd5a6c38a181fa3b6aa9a68c81d2f netpanzer-data-0.8.tar.bz2 10123751
diff --git a/games-strategy/netpanzer/files/netpanzer-0.8-min-size-check.patch b/games-strategy/netpanzer/files/netpanzer-0.8-min-size-check.patch
new file mode 100644
index 000000000000..dc97ffcf4a7c
--- /dev/null
+++ b/games-strategy/netpanzer/files/netpanzer-0.8-min-size-check.patch
@@ -0,0 +1,33 @@
+The size needs to be at least 2 or the code gets hung up.
+
+http://bugs.gentoo.org/98922
+
+--- src/NetPanzer/Network/ServerSocket.cpp
++++ src/NetPanzer/Network/ServerSocket.cpp
+@@ -169,7 +169,7 @@
+ 
+             size = htol16(*((int16_t*) tempbuffer));
+ 
+-            if ( (size < 0) || (size > _MAX_NET_PACKET_SIZE) ) {
++            if ( (size < 2) || (size > _MAX_NET_PACKET_SIZE) ) {
+                 LOG( ("OnReadStreamServer : Invalid Packet Size %d", size) );
+                 recvoffset = 0;
+                 client->headerincomplete = false;
+@@ -224,7 +224,7 @@
+ 
+                 size = htol16(*((int16_t*) tempbuffer));
+ 
+-                if ( (size < 0) || (size > _MAX_NET_PACKET_SIZE) ) {
++                if ( (size < 2) || (size > _MAX_NET_PACKET_SIZE) ) {
+                     LOG( ("OnReadStreamServer : Invalid Packet Size %d", size) );
+                     recvoffset = 0;
+                     client->messageincomplete = false;
+@@ -266,7 +266,7 @@
+             } else if (recvsize >= 2) {
+                 size = htol16(*((int16_t*) (recvbuffer + recvoffset)));
+ 
+-                if( (size < 0) || (size > _MAX_NET_PACKET_SIZE) ) {
++                if( (size < 2) || (size > _MAX_NET_PACKET_SIZE) ) {
+                     LOG( ("OnReadStreamServer : Invalid Packet Size %d", size) );
+                     recvoffset = 0;
+                     client->tempoffset = 0;
diff --git a/games-strategy/netpanzer/files/netpanzer-0.8-robust.patch b/games-strategy/netpanzer/files/netpanzer-0.8-robust.patch
new file mode 100644
index 000000000000..d0e138e7f687
--- /dev/null
+++ b/games-strategy/netpanzer/files/netpanzer-0.8-robust.patch
@@ -0,0 +1,205 @@
+A few more sanity checks from upstream svn.
+
+Index: src/NetPanzer/Interfaces/ChatInterface.cpp
+===================================================================
+--- src/NetPanzer/Interfaces/ChatInterface.cpp	(revision 928)
++++ src/NetPanzer/Interfaces/ChatInterface.cpp	(revision 929)
+@@ -39,9 +39,16 @@
+     ChatMesg chat_mesg;
+     const ChatMesgRequest* chat_request = (const ChatMesgRequest*) message;
+ 
++    if(chat_request->getSourcePlayerIndex() >= PlayerInterface::getMaxPlayers())
++    {
++        LOGGER.warning("Invalid chatMessageRequest");
++        return;
++    }
++
+     chat_mesg.setSourcePlayerIndex(chat_request->getSourcePlayerIndex());
+     chat_mesg.message_scope = chat_request->message_scope;
+-    strcpy( chat_mesg.message_text, chat_request->message_text );
++    snprintf(chat_mesg.message_text, sizeof(chat_mesg.message_text), "%s",
++             chat_request->message_text);
+ 
+     if( chat_request->message_scope == _chat_mesg_scope_all ) {
+         SERVER->sendMessage(&chat_mesg, sizeof(ChatMesg));
+@@ -126,6 +133,11 @@
+     unsigned short local_player_index;
+     const ChatMesg *chat_mesg = (const ChatMesg*) message;
+ 
++    if(chat_mesg->getSourcePlayerIndex() >= PlayerInterface::getMaxPlayers()) {
++        LOGGER.warning("malformed chatmessage packet.");
++        return;
++    }
++
+     if( chat_mesg->message_scope == _chat_mesg_scope_server ) {
+         ConsoleInterface::postMessage("Server: %s", chat_mesg->message_text );
+         return;
+Index: src/NetPanzer/Interfaces/GameManager.cpp
+===================================================================
+--- src/NetPanzer/Interfaces/GameManager.cpp	(revision 928)
++++ src/NetPanzer/Interfaces/GameManager.cpp	(revision 929)
+@@ -411,6 +411,11 @@
+         = (const SystemConnectAlert*) message;
+     PlayerState *player_state = 0;
+ 
++    if(connect_alert->getPlayerID() >= PlayerInterface::getMaxPlayers()) {
++        LOGGER.warning("Malformed connect alert message.");
++        return;
++    }
++
+     player_state = PlayerInterface::getPlayerState( connect_alert->getPlayerID() );
+ 
+     switch (connect_alert->alert_enum) {
+@@ -471,6 +476,11 @@
+     const SystemPingRequest *ping_request
+         = (const SystemPingRequest*) message;
+ 
++    if(ping_request->getClientPlayerIndex() >= PlayerInterface::getMaxPlayers()) {
++        LOGGER.warning("Invalid pingRequest message");
++        return;
++    }
++
+     player_id = PlayerInterface::getPlayerID( ping_request->getClientPlayerIndex() );
+ 
+     SystemPingAcknowledge ping_ack;
+Index: src/NetPanzer/Interfaces/PlayerInterface.cpp
+===================================================================
+--- src/NetPanzer/Interfaces/PlayerInterface.cpp	(revision 928)
++++ src/NetPanzer/Interfaces/PlayerInterface.cpp	(revision 929)
+@@ -25,6 +25,7 @@
+ #include "PlayerNetMessage.hpp"
+ #include "Server.hpp"
+ #include "NetworkServer.hpp"
++#include "Util/Log.hpp"
+ 
+ #include "ConsoleInterface.hpp"
+ // for UNIT_FLAGS_SURFACE
+@@ -410,6 +411,10 @@
+         = (const PlayerConnectID *) message;
+ 
+     local_player_index = connect_mesg->connect_state.getPlayerIndex();
++    if(local_player_index >= max_players) {
++        LOGGER.warning("Invalide netMessageConnectID Message");
++        return;
++    }
+ 
+     SDL_mutexP(mutex);
+     player_lists[local_player_index].setFromNetworkPlayerState
+@@ -423,6 +428,12 @@
+     const PlayerStateSync *sync_mesg
+         = (const PlayerStateSync *) message;
+     uint16_t player_index = sync_mesg->player_state.getPlayerIndex();
++
++    if(player_index >= max_players) {
++        LOGGER.warning("Malformed MessageSyncState message");
++        return;
++    }
++    
+     SDL_mutexP(mutex);
+     player_lists[player_index].setFromNetworkPlayerState(&sync_mesg->player_state);
+     forceUniquePlayerFlags();
+@@ -475,6 +486,14 @@
+     const PlayerScoreUpdate* score_update 
+         = (const PlayerScoreUpdate *) message;
+ 
++    if(score_update->getKillByPlayerIndex() >= PlayerInterface::getMaxPlayers()
++            || score_update->getKillOnPlayerIndex() 
++            >= PlayerInterface::getMaxPlayers())
++    {
++        LOGGER.warning("Malformed scrore update packet.");
++        return;
++    }
++
+     PlayerState* player1 = getPlayer(score_update->getKillByPlayerIndex());
+     PlayerState* player2 = getPlayer(score_update->getKillOnPlayerIndex());
+     setKill(player1, player2, (UnitType) score_update->unit_type );
+@@ -487,6 +506,12 @@
+     const PlayerAllianceRequest *allie_request
+         = (const PlayerAllianceRequest *) message;
+ 
++    if(allie_request->getAllieByPlayerIndex() >= max_players
++       || allie_request->getAllieWithPlayerIndex() >= max_players) {
++        LOGGER.warning("Invalid alliance request message");
++        return;                                                       
++    }
++
+     SDL_mutexP(mutex);
+     if ( allie_request->alliance_request_type == _player_make_alliance ) {
+         setAlliance(
+@@ -541,6 +566,12 @@
+     const PlayerAllianceUpdate* allie_update
+         = (const PlayerAllianceUpdate *) message;
+ 
++    if(allie_update->getAllieByPlayerIndex() >= max_players
++       || allie_update->getAllieWithPlayerIndex() >= max_players) {
++        LOGGER.warning("Invalid alliance update message");
++        return;
++    }
++
+     SDL_mutexP(mutex);
+     if (allie_update->alliance_update_type == _player_make_alliance) {
+         setAlliance(
+Index: src/NetPanzer/Interfaces/InfoThread.cpp
+===================================================================
+--- src/NetPanzer/Interfaces/InfoThread.cpp	(revision 928)
++++ src/NetPanzer/Interfaces/InfoThread.cpp	(revision 929)
+@@ -174,15 +174,20 @@
+ InfoThread::sendPlayers(std::stringstream& out)
+ {
+     ObjectiveInterface::updatePlayerObjectiveCounts();
+-    for(int i = 0; i < PlayerInterface::countPlayers(); ++i) {
++    int n = 0;
++    for(int i = 0; i < PlayerInterface::getMaxPlayers(); ++i) {
+         PlayerState* playerState = PlayerInterface::getPlayerState(i);
+-        out << "player_" << i << "\\" << playerState->getName() << "\\"
+-            << "kills_" << i << "\\" << playerState->getKills() << "\\"
+-            << "deaths_" << i << "\\" << playerState->getLosses() << "\\"
+-            << "score_" << i << "\\" 
++        if(playerState->getStatus() != _player_state_active)
++            continue;
++        
++        out << "player_" << n << "\\" << playerState->getName() << "\\"
++            << "kills_" << n << "\\" << playerState->getKills() << "\\"
++            << "deaths_" << n << "\\" << playerState->getLosses() << "\\"
++            << "score_" << n << "\\" 
+                 << playerState->getObjectivesHeld() << "\\"
+-            << "flag_" << i << "\\"
++            << "flag_" << n << "\\"
+                 << (int) playerState->getFlag() << "\\";
++        n++;
+     }
+     // TODO add team/alliance info
+ }
+Index: src/NetPanzer/Classes/Network/NetMessageDecoder.cpp
+===================================================================
+--- src/NetPanzer/Classes/Network/NetMessageDecoder.cpp	(revision 928)
++++ src/NetPanzer/Classes/Network/NetMessageDecoder.cpp	(revision 929)
+@@ -57,6 +57,12 @@
+         return false;
+ 
+     *message = (NetMessage *) (decode_message.data + decode_message_index);
++    if( (*message)->getSize() >
++            decode_message.getSize() - decode_message.getHeaderSize() -
++            decode_message_index) {
++        LOGGER.warning("Malformed Multimessage!");
++        return false;
++    }
+     decode_message_index += (*message)->getSize();
+     decode_current_count++;
+ 
+Index: src/NetPanzer/Classes/Objective.cpp
+===================================================================
+--- src/NetPanzer/Classes/Objective.cpp	(revision 928)
++++ src/NetPanzer/Classes/Objective.cpp	(revision 929)
+@@ -69,6 +69,11 @@
+ {
+     const SyncObjective *sync_mesg = (const SyncObjective*) message;
+ 
++    if(sync_mesg->getOccupyingPlayerID() >= PlayerInterface::getMaxPlayers()) {
++        LOGGER.warning("Malformed ObjectvieMesgSync");
++        return;
++    }
++
+     objective_state.objective_status = sync_mesg->objective_status;
+     objective_state.occupation_status = sync_mesg->occupation_status;
+     if(objective_state.occupation_status != _occupation_status_unoccupied) {
diff --git a/games-strategy/netpanzer/netpanzer-0.8-r1.ebuild b/games-strategy/netpanzer/netpanzer-0.8-r1.ebuild
new file mode 100644
index 000000000000..a8a716d21e68
--- /dev/null
+++ b/games-strategy/netpanzer/netpanzer-0.8-r1.ebuild
@@ -0,0 +1,68 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/games-strategy/netpanzer/netpanzer-0.8-r1.ebuild,v 1.1 2005/07/14 02:24:00 vapier Exp $
+
+inherit eutils games
+
+DATAVERSION="0.8"
+DESCRIPTION="Fast-action multiplayer strategic network game"
+HOMEPAGE="http://netpanzer.berlios.de/"
+SRC_URI="http://download.berlios.de/netpanzer/netpanzer-${PV}.tar.bz2
+	http://download.berlios.de/netpanzer/netpanzer-data-${DATAVERSION}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ppc ~sparc x86"
+IUSE="dedicated"
+
+RDEPEND="dedicated? ( app-misc/screen )
+	>=media-libs/libsdl-1.2.5
+	>=media-libs/sdl-mixer-1.2.4
+	>=media-libs/sdl-image-1.2.3
+	>=dev-games/physfs-0.1.9"
+DEPEND="${RDEPEND}
+	>=dev-util/jam-2.5"
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+#	epatch "${FILESDIR}"/${P}-min-size-check.patch
+#	epatch "${FILESDIR}"/${P}-robust.patch
+}
+
+src_compile() {
+	egamesconf || die
+	jam -q || die "jam failed"
+
+	einfo "Working in ${WORKDIR}/${PN}-data-${DATAVERSION}/"
+	cd "${WORKDIR}"/${PN}-data-${DATAVERSION}
+	egamesconf || die
+	jam -q || die "jam failed (on data package)"
+}
+
+src_install() {
+	jam -sDESTDIR="${D}" -sappdocdir=/usr/share/doc/${PF} install || die "jam install failed"
+
+	cd "${WORKDIR}"/${PN}-data-${DATAVERSION}/
+	jam -sDESTDIR="${D}" -sappdocdir=/usr/share/doc/${PF} install || die "jam install failed (data package)"
+
+	if use dedicated ; then
+		newinitd "${FILESDIR}/netpanzer.rc" netpanzer || die "newinitd failed"
+		sed -i \
+			-e "s:GAMES_USER_DED:${GAMES_USER_DED}:" \
+			-e "s:GENTOO_DIR:${GAMES_BINDIR}:" \
+			"${D}/etc/init.d/netpanzer" \
+			|| die "sed failed"
+
+		insinto /etc
+		doins "${FILESDIR}/netpanzer-ded.ini" || die "doins failed"
+		exeinto "${GAMES_BINDIR}"
+		doexe "${FILESDIR}/netpanzer-ded" || die "doexe failed"
+		sed -i \
+			-e "s:GENTOO_DIR:${GAMES_BINDIR}:" \
+			"${D}${GAMES_BINDIR}/netpanzer-ded" \
+			|| die "sed failed"
+	fi
+	make_desktop_entry netpanzer NetPanzer netpanzer.png
+	prepgamesdirs
+}
author	Mike Frysinger <vapier@gentoo.org>	2005-07-14 02:24:00 +0000
committer	Mike Frysinger <vapier@gentoo.org>	2005-07-14 02:24:00 +0000
commit	80843826bc7badcc6add9f34832437c14660fbbc (patch)
tree	a08108873ab6db3f699b068c18062d9922f0890a /games-strategy
parent	fix building with newer flex (diff)
download	historical-80843826bc7badcc6add9f34832437c14660fbbc.tar.gz historical-80843826bc7badcc6add9f34832437c14660fbbc.tar.bz2 historical-80843826bc7badcc6add9f34832437c14660fbbc.zip