1
General discussions / Re: SFML 2.0 RC
« on: June 05, 2012, 09:01:20 pm »
Hi,
There is a problem with this funciton:
You may argue that the application should know what is the buffer size needed, but a malicious peer may send a bigger string, which will make the game server segfault.
Here is a test case that produces such a segmentation fault:
There are one parameter missing and a returned value missing.
It should be something like:
We need a parameter length that tells the size of the buffer string provided, and the function should not try to fill more than that in oreder to prevent the segmentation fault.
We also need a returned value telling how many bytes where filled into the buffer, because if the buffer is of a larger size (for exemple 1024) and the function fills a smaller amount (for exemple 30), we need that value to extract the actual chunk. Using the NULL C string terminator is not enough / is not always a good method.
There is a problem with this funciton:
void sfPacket_readString(sfPacket* packet, char* string);
You may argue that the application should know what is the buffer size needed, but a malicious peer may send a bigger string, which will make the game server segfault.
Here is a test case that produces such a segmentation fault:
#include <stdio.h>
#include <stdlib.h>
#include <SFML/Network/Packet.h>
int main()
{
char *buf = "+++";
sfPacket *p = sfPacket_create();
sfPacket_writeString(p, "0123456789ABCDEF");
sfPacket_readString(p, buf);
printf("BUF: %s\n", buf);
sfPacket_destroy(p);
return 0;
}
#include <stdlib.h>
#include <SFML/Network/Packet.h>
int main()
{
char *buf = "+++";
sfPacket *p = sfPacket_create();
sfPacket_writeString(p, "0123456789ABCDEF");
sfPacket_readString(p, buf);
printf("BUF: %s\n", buf);
sfPacket_destroy(p);
return 0;
}
There are one parameter missing and a returned value missing.
It should be something like:
int sfPacket_readString(sfPacket* packet, char* string, int length);
We need a parameter length that tells the size of the buffer string provided, and the function should not try to fill more than that in oreder to prevent the segmentation fault.
We also need a returned value telling how many bytes where filled into the buffer, because if the buffer is of a larger size (for exemple 1024) and the function fills a smaller amount (for exemple 30), we need that value to extract the actual chunk. Using the NULL C string terminator is not enough / is not always a good method.