Skip to content

Commit 3e94db9

Browse files
committed
Possible fix for strncpy overlap in SVC_RemoteCommand
SVC_RemoteCommand->Cmd_ExecuteString->Cmd_TokenizeString2 cmd_cmd stomped on the same memory. Vanilla code even from vq3 used a 1k sized array but this is significantly less than the size of cmd_cmd array so use the size of the cmd_cmd array.
1 parent 7f2544a commit 3e94db9

1 file changed

Lines changed: 4 additions & 2 deletions

File tree

src/server/sv_main.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1095,7 +1095,8 @@ static void SVC_RemoteCommand( const netadr_t *from ) {
10951095
// TTimo - scaled down to accumulate, but not overflow anything network wise, print wise etc.
10961096
// (OOB messages are the bottleneck here)
10971097
char sv_outputbuf[1024 - 16];
1098-
const char *cmd_aux, *pw;
1098+
const char *pw;
1099+
char *cmd_aux, cmd_copy[BIG_INFO_STRING];
10991100

11001101
// Prevent using rcon as an amplifier and make dictionary attacks impractical
11011102
if ( SVC_RateLimitAddress( from, 10, 1000 ) ) {
@@ -1135,7 +1136,8 @@ static void SVC_RemoteCommand( const netadr_t *from ) {
11351136
// get the command directly, "rcon <pass> <command>" to avoid quoting issues
11361137
// extract the command by walking
11371138
// since the cmd formatting can fuckup (amount of spaces), using a dumb step by step parsing
1138-
cmd_aux = Cmd_Cmd();
1139+
Q_strncpyz( cmd_copy, Cmd_Cmd(), sizeof( cmd_copy ) );
1140+
cmd_aux = cmd_copy;
11391141
while ( *cmd_aux && *cmd_aux <= ' ' ) // skip whitespace
11401142
cmd_aux++;
11411143
cmd_aux += 4; // "rcon"

0 commit comments

Comments
 (0)