Menu

#90 combat: !ggz_read_string_alloc

open
Ismael Orenstein
None
5
2002-04-15
2002-04-15
Jason Dorje Short
No

Hastings uses ggz_read_string_alloc to read an options
string from the client. This is somewhat unsafe, as a
malicious client could send a string of arbitrary
length (although libggz does impose a maximum length).

It also looks like this string is not properly freed;
for instance if the player is not the host. A
malicious client could use this loophole to repeatedly
send large options strings, exhausting memory on the
server.

Discussion

  • Jason Dorje Short

    Jason Dorje Short - 2002-04-15

    Logged In: YES
    user_id=87649

    Obviously, I meant Combat not Hastings. Sorry.

     

  • Jason Dorje Short

    Jason Dorje Short - 2002-04-15
    • summary: hastings: !ggz_read_string_alloc --> combat: !ggz_read_string_alloc
     

  • Ismael Orenstein

    Ismael Orenstein - 2002-04-17

    Logged In: YES
    user_id=17587

    Ok, I've changed the client (the server wasn't touched
    yet) so that all these strings are properly freed (with
    ggz_free). However, I'm still using ggz_read_string_alloc,
    because I'm lazy and I think we should trust the server in
    this case.

    The server code should really be more careful, but the
    fact
    that ggz_read_string_alloc has a maximum length isn't be
    enough security for the client (assuming that all this
    alloced memory is freed, of course)?

    ps: Please check if there are any more memory leaks (or
    better, teach me how to do it! :) )

     

Log in to post a comment.

MongoDB Logo MongoDB