[netrek-dev] ntserv buffer overflow on messaging

Tue Mar 29 01:27:06 CDT 2016

On Wed, Mar 23, 2016 at 07:09:05AM +1100, James Cameron wrote:
> On the one hand, let's resolve the ambiguity about why your server is
> overflowing a buffer on messaging.  If we knew the exact line of code
> that was failing we could pinpoint it accurately.  [...]

With _FORTIFY_SOURCE removed temporarily, the buffer overflow comes
back as expected.

The cause is Tedd Hadley and Heiko Wengler's amazing short packets
code from 24th May 1993, which relies on strcpy to overflow the
destination string without complaint:

https://github.com/quozl/netrek-server/blob/master/ntserv/genspkt.c#L995

The source string is a message, e.g. " testing".

The destination string is a one character buffer in the short packet
structure:

https://github.com/quozl/netrek-server/blob/master/include/packets.h#L1011

Original intent was for the data to be written over the bytes in the
packet, overflowing into the remainder of the structure fields.

It is an intentional overflow, which the fortify wrappers are
enthusiastically reporting as a problem.

There will be plenty more where that came from.  ;-)

--

Method to test on client:

	netrek-client-cow -h server_ip -s 9292

Method to test on server:

	ulimit -c unlimited
	lib/ntserv -q 9 -s 9292 -d client_ip
	gdb lib/ntserv core

Backtrace as captured:

(gdb) bt
#0  0x00007f6658600cc9 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007f6658604218 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007f665863d394 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007f66586d4c9c in __fortify_fail ()
   from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007f66586d3b60 in __chk_fail () from /lib/x86_64-linux-gnu/libc.so.6
#5  0x000000000041057f in strcpy (__src=0x7f6659288f31 " testing", 
    __dest=0x7ffdd8f686c5 " ")
    at /usr/include/x86_64-linux-gnu/bits/string3.h:104
#6  updtMessage (msg=msg at entry=0x7ffdd8f686c0, cur=cur at entry=0x7f6659288f18)
    at genspkt.c:995
#7  0x00000000004116eb in updateMessages () at genspkt.c:1698
#8  0x00000000004206ad in updateClient () at socket.c:623
#9  0x0000000000407a91 in intrupt () at redraw.c:119
#10 0x00000000004063c9 in setflag () at input.c:42
#11 input () at input.c:122
#12 0x00000000004038b5 in main (argc=0, argv=<optimised out>) at main.c:461
(gdb) 

-- 
James Cameron
http://quozl.netrek.org/