AW: Security Audit, was Re: [crossfire] Server release?

Michael Toennies michtoen at daimonin.net
Sun Apr 17 14:15:12 CDT 2005


You should have in mind that there is no need to have a "total"
control over every sprintf().

The server has only very few different buffer sizes and the
code is really bugfree - the only real problem are the client->server
communication. But - all that communication has to pass the socket/command
interface. There must be the control. It must be there so or so.

Because its a good idea not only to avoid the buffer overflow but also
to find the hacked client & player - and remove him.

>
     
      tchize wrote:
     
     >
     
      > I fixed this a few time ago (i think). This was related to server 
     
     >
     
      > dying on a sigpipe on abrupt connection close.
     
     >
     
      > 
     
     >
     
      > Just one note, on security.
     
     >
     
      > Every part of the code is subject to strings overflows. I have seen 
     
     >
     
      > countless calls to sprintf instead of snprintf, which is inherently 
     
     >
     
      > unsecure. Some parts of those calls involve datas provided 
     
     >
     
      by client.
     
     >
     
     
     >
     
        Yes - using sprintf, strcpy, etc are not safe.
     
     >
     
     
     >
     
        Unfortunately, some number of those calls are on data 
     
     >
     
      passed in, where it would require changing the function 
     
     >
     
      prototype to denote how large the buffer is.
     
     >
     
     
     >
     
        There are still a lot of calls to sprintf/strcpy in the 
     
     >
     
      code - fixing those is no smaller matter.
     
     >
     
     
     >
     
        On the bright side, the server requires no special 
     
     >
     
      privileges to run, so could be run in a jail/zone/chroot 
     
     >
     
      environment to mitigate the risks.
     
     >
     
     
     >
     
     
     >
     
      _______________________________________________
     
     >
     
      crossfire mailing list
     
     >
     
     
      crossfire at metalforge.org
      
      
     >
     
     
      http://mailman.metalforge.org/mailman/listinfo/crossfire
      
      
     
    


More information about the crossfire mailing list