Crossfire Mailing List Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Server crash in /city/anthony/prison



With the current CVS distribution (and ver 0.95.5) its possible to crash the
server by talking to the thief in /city/anthony/prison. 
The message part of the thief is improperly terminated, causing the server
to leave a dangling pointer where it expects a string. Naturally, bad things
happen.

Attached are two patches. The first fixes the map to be sensible, the second
tries to make the parse_messages function in monster.c a bit more robust 
in situations like this and also provides some logging information. 
(Unfortunately, we don't have access to the object pointer in parse_message, 
so the log messages are somewhat less complete than I would like.) Probably 
the logging messages should be wrapped in an if (debug) statement, but 
I've not done so. 

It is also possible to avoid the crash by changing how nrofkeywords is
calculated, but I feel that would limit the infomation available for
logging even more.

-- 

Neil Muller

A Gentleman is someone who knows how to play the bagpipes
   and doesn't.

I see no need to concern myself with the medical professions neurotic 
hangups about food.
--- maps.orig/city/anthony/prison	Sat May 27 04:51:14 2000
+++ maps/city/anthony/prison	Thu Jun 15 15:36:48 2000
@@ -598,7 +598,7 @@
 @match innocent
 I don't know how that lady's purse
 ended up in my pocket! I was framed!
-@match framed|frame|
+@match framed|frame
 Wise guy ha! Well Phooey to you too.
 I want my lawyer.
 @match *
--- crossfire/server/monster.c.orig	Thu Jun 15 15:37:51 2000
+++ crossfire/server/monster.c	Thu Jun 15 16:15:41 2000
@@ -1262,6 +1262,17 @@
           *line = '\0';
           if (last != line)
             msgs->keywords[msgnr][keywordnr++] = strdup_local(last);
+	  else {
+	        if (keywordnr<nrofkeywords)
+		{
+		   msgs->keywords[msgnr][keywordnr++] = strdup_local("xxxx");
+		   fprintf (stderr, "Tried to set a zero length message in parse_message\n");
+		   if (keywordnr>1)
+			   fprintf(stderr, "Msgnr %d, after keyword %s\n",msgnr+1,msgs->keywords[msgnr][keywordnr-2]);
+		   else
+			   fprintf(stderr, "Msgnr %d, first keyword\n",msgnr+1);
+		}
+	  }
           last = line + 1;
         }
       last = cp;