[CVE-2006-3125] Add index underflow protections where needed. Patch from

2006-08-17  Jordi Mallach  <jordi@sindominio.net>

	* src/tetrinet.c: [CVE-2006-3125] Add index underflow protections
	where needed. Patch from Martin Schulze from the Debian Security
	Team. Thanks to Michael Gehring for analysis and proof of concept
	code.

diff --git a/ChangeLog b/ChangeLog
index 33227a56171983ee01684854e09fa255485bfbf9..f71190c5459e79aeee244db79143bca58bf487ca 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2006-08-17  Jordi Mallach  <jordi@sindominio.net>
+
+       * src/tetrinet.c: [CVE-2006-3125] Add index underflow protections
+       where needed. Patch from Martin Schulze from the Debian Security
+       Team. Thanks to Michael Gehring for analysis and proof of concept
+       code.
+
 2006-05-25  Jordi Mallach  <jordi@sindominio.net>
 
        * configure.in: Switch to IT_PROG_INTLTOOL([0.35.0) and move

diff --git a/src/tetrinet.c b/src/tetrinet.c
index 8752de8d947716f412d59d18cc5183e98545570c..847264366ea0f9bf1b873536ca76275bf83a54b6 100644 (file)
--- a/src/tetrinet.c
+++ b/src/tetrinet.c
@@ -242,7 +242,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
     case IN_PLAYERNUM:
         pnumrec = 1;
         tmp_pnum = atoi (data);
-        if (tmp_pnum >= MAX_PLAYERS)
+        if (tmp_pnum >= MAX_PLAYERS || tmp_pnum < 0)
           break;
         bigfieldnum = playernum = tmp_pnum;
         if (!connected)
@@ -300,7 +300,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             token = strtok (NULL, "");
             if (token == NULL) break;
@@ -328,7 +328,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             if (!playercount)
               break;
@@ -357,7 +357,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             if ((pnum == playernum) && !spectating)
                 g_snprintf (buf, sizeof(buf),
@@ -386,7 +386,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             token = strtok (NULL, "");
             if (token == NULL) token = "";
@@ -405,7 +405,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             token = strtok (NULL, "");
             if (token == NULL) token = "";
@@ -514,7 +514,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             token = strtok (NULL, "");
             if (token == NULL) token = "";
@@ -526,7 +526,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
         {
             int pnum;
             pnum = atoi (data);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             /* player is out */
             playerplaying[pnum] = 0;
@@ -536,7 +536,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
         {
             int pnum;
             pnum = atoi (data);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             if (teamnames[pnum][0])
                 g_snprintf (buf, sizeof(buf),
@@ -681,7 +681,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             s = strtok (data, " ");
             if (s == NULL) break;
             pnum = atoi (s);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             s = strtok (NULL, "");
             if (s == NULL) break;
@@ -715,14 +715,14 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             to = atoi (token);
-            if (to >= MAX_PLAYERS)
+            if (to >= MAX_PLAYERS || to < 0)
               break;
             sbid = strtok (NULL, " ");
             if (sbid == NULL) break;
             token = strtok (NULL, "");
             if (token == NULL) break;
             from = atoi(token);
-            if (from >= MAX_PLAYERS)
+            if (from >= MAX_PLAYERS || from < 0)
               break;
             for (sbnum = 0; sbinfo[sbnum].id; sbnum ++)
                 if (strcmp (sbid, sbinfo[sbnum].id) == 0) break;
@@ -737,7 +737,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum <= 0)
               break;
             token = strtok (NULL, "");
             if (token == NULL) break;