mirror
/
OpenTTD
mirror of https://github.com/OpenTTD/OpenTTD
1
0
Fork 0
Code Issues

(svn r26100) -Fix: possible buffer overflow in console handling of aliases

release/1.4
rubidium 2013-11-25 10:13:59 +00:00
parent 2009da4f7d
commit 573f6dcd34
1 changed files with 31 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
src/console.cpp
View File

@ -21,7 +21,6 @@
#include <stdarg.h> #include <stdarg.h>
static const uint ICON_TOKEN_COUNT = 20; ///< Maximum number of tokens in one command static const uint ICON_TOKEN_COUNT = 20; ///< Maximum number of tokens in one command
static const uint ICON_MAX_ALIAS_LINES = 40; ///< Maximum number of commands executed by one alias
/* console parser */ /* console parser */
IConsoleCmd *_iconsole_cmds; ///< list of registered commands IConsoleCmd *_iconsole_cmds; ///< list of registered commands
@ -316,17 +315,6 @@ IConsoleAlias *IConsoleAliasGet(const char *name)
return NULL; return NULL;
} }
/** copy in an argument into the aliasstream */
static inline int IConsoleCopyInParams(char *dst, const char *src, uint bufpos)
{
/* len is the amount of bytes to add excluding the '\0'-termination */
int len = min(ICON_MAX_STREAMSIZE - bufpos - 1, (uint)strlen(src));
strecpy(dst, src, dst + len);
return len;
}
/** /**
* An alias is just another name for a command, or for more commands * An alias is just another name for a command, or for more commands
* Execute it as well. * Execute it as well.
@ -336,28 +324,23 @@ static inline int IConsoleCopyInParams(char *dst, const char *src, uint bufpos)
*/ */
static void IConsoleAliasExec(const IConsoleAlias *alias, byte tokencount, char *tokens[ICON_TOKEN_COUNT]) static void IConsoleAliasExec(const IConsoleAlias *alias, byte tokencount, char *tokens[ICON_TOKEN_COUNT])
{ {
const char *cmdptr; char alias_buffer[ICON_MAX_STREAMSIZE] = { '\0' };
char *aliases[ICON_MAX_ALIAS_LINES], aliasstream[ICON_MAX_STREAMSIZE]; char *alias_stream = alias_buffer;
uint i;
uint a_index, astream_i;
memset(&aliases, 0, sizeof(aliases));
memset(&aliasstream, 0, sizeof(aliasstream));
DEBUG(console, 6, "Requested command is an alias; parsing..."); DEBUG(console, 6, "Requested command is an alias; parsing...");
aliases[0] = aliasstream; for (const char *cmdptr = alias->cmdline; *cmdptr != '\0'; cmdptr++) {
for (cmdptr = alias->cmdline, a_index = 0, astream_i = 0; *cmdptr != '\0'; cmdptr++) {
if (a_index >= lengthof(aliases) || astream_i >= lengthof(aliasstream)) break;
switch (*cmdptr) { switch (*cmdptr) {
case '\'': // ' will double for "" case '\'': // ' will double for ""
aliasstream[astream_i++] = '"'; alias_stream = strecpy(alias_stream, "\"", lastof(alias_buffer));
break; break;
case ';': // Cmd separator, start new command case ';': // Cmd separator; execute previous and start new command
aliasstream[astream_i] = '\0'; IConsoleCmdExec(alias_buffer);
aliases[++a_index] = &aliasstream[++astream_i];
alias_stream = alias_buffer;
*alias_stream = '\0'; // Make sure the new command is terminated.
cmdptr++; cmdptr++;
break; break;
@ -365,22 +348,22 @@ static void IConsoleAliasExec(const IConsoleAlias *alias, byte tokencount, char
cmdptr++; cmdptr++;
switch (*cmdptr) { switch (*cmdptr) {
case '+': { // All parameters separated: "[param 1]" "[param 2]" case '+': { // All parameters separated: "[param 1]" "[param 2]"
for (i = 0; i != tokencount; i++) { for (uint i = 0; i != tokencount; i++) {
aliasstream[astream_i++] = '"'; if (i != 0) alias_stream = strecpy(alias_stream, " ", lastof(alias_buffer));
astream_i += IConsoleCopyInParams(&aliasstream[astream_i], tokens[i], astream_i); alias_stream = strecpy(alias_stream, "\"", lastof(alias_buffer));
aliasstream[astream_i++] = '"'; alias_stream = strecpy(alias_stream, tokens[i], lastof(alias_buffer));
aliasstream[astream_i++] = ' '; alias_stream = strecpy(alias_stream, "\"", lastof(alias_buffer));
} }
break; break;
} }
case '!': { // Merge the parameters to one: "[param 1] [param 2] [param 3...]" case '!': { // Merge the parameters to one: "[param 1] [param 2] [param 3...]"
aliasstream[astream_i++] = '"'; alias_stream = strecpy(alias_stream, "\"", lastof(alias_buffer));
for (i = 0; i != tokencount; i++) { for (uint i = 0; i != tokencount; i++) {
astream_i += IConsoleCopyInParams(&aliasstream[astream_i], tokens[i], astream_i); if (i != 0) alias_stream = strecpy(alias_stream, " ", lastof(alias_buffer));
aliasstream[astream_i++] = ' '; alias_stream = strecpy(alias_stream, tokens[i], lastof(alias_buffer));
} }
aliasstream[astream_i++] = '"'; alias_stream = strecpy(alias_stream, "\"", lastof(alias_buffer));
break; break;
} }
@ -393,21 +376,27 @@ static void IConsoleAliasExec(const IConsoleAlias *alias, byte tokencount, char
return; return;
} }
aliasstream[astream_i++] = '"'; alias_stream = strecpy(alias_stream, "\"", lastof(alias_buffer));
astream_i += IConsoleCopyInParams(&aliasstream[astream_i], tokens[param], astream_i); alias_stream = strecpy(alias_stream, tokens[param], lastof(alias_buffer));
aliasstream[astream_i++] = '"'; alias_stream = strecpy(alias_stream, "\"", lastof(alias_buffer));
break; break;
} }
} }
break; break;
default: default:
aliasstream[astream_i++] = *cmdptr; *alias_stream++ = *cmdptr;
*alias_stream = '\0';
break; break;
} }
if (alias_stream >= lastof(alias_buffer) - 1) {
IConsoleError("Requested alias execution would overflow execution buffer");
return;
}
} }
for (i = 0; i <= a_index; i++) IConsoleCmdExec(aliases[i]); // execute each alias in turn IConsoleCmdExec(alias_buffer);
} }
/** /**