FICS buffer overflow

[canul () HALFLIFE DYN INSOMNIA ORG (canul)]

While documenting the FICS (free internet chess server) protocol for
purposes of an alternative to the xboard program, I encountered what looks
to be a potential for attack. This vulnerability has been verified by one
of the largest fics based systems, chess.net <http://www.chess.net>.

The problem involves unchecked user input to a fixed length
string. Non-denial of services exploitation of the questionable code looks
possible but not trivial, as there is not room in the buffer for shell
code, but putting it elsewhere is certainly a possibility. I have written
a patch that resolves the problem, in some fashion.

-------------------------------------------------------------------------------
--- gameproc.c  Tue Nov 16 13:52:31 1999
+++ gameproc.1.c        Sat Nov 20 19:45:08 1999
@@ -24,6 +24,7 @@
                                                 Second is obsproc.c.
    DAV                         96/7/1          Added avail stuff
 */
+/* canul () halflife dyn insomnia org  com_boards buffer overflow fix */

 #include "stdinclude.h"

@@ -1445,6 +1446,16 @@

   if (param[0].type == TYPE_WORD)
     category = param[0].val.word;
+       
+#ifndef CATEGORY_LIMIT
+#      define CATEGORY_LIMIT 100
+#endif
+  if (strlen(category) > CATEGORY_LIMIT)
+  {
+      pprintf(p, "That category exceeds the string limit\n");
+         return COM_OK;
+  }
+
   if (category) {
     pprintf(p, "Boards Available For Category %s:\n", category);
     sprintf(dname, "%s/%s", board_dir, category);