From 3b74b2d1d63c0e6a05d49b3bcc39a4aa0172cc6f Mon Sep 17 00:00:00 2001 From: relesgoe Date: Tue, 16 Mar 2021 17:53:10 -0700 Subject: [PATCH] Pass 'sizeof(mybuf) - 1' as the size of 'mybuf' in get_cmd_line(). This fixes an out-of-bounds access when recv() writes exactly 256 bytes into 'mybuf' and the subsequent code accesses or writes to the byte following the end of the 'mybuf' array. --- src/d2gs/telnetd.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/d2gs/telnetd.cpp b/src/d2gs/telnetd.cpp index 0454826..8f56424 100644 --- a/src/d2gs/telnetd.cpp +++ b/src/d2gs/telnetd.cpp @@ -424,7 +424,7 @@ namespace pvpgn continue; } if (admin_to_stop()) return -1; - if ((bytes=recv(ns, mybuf, sizeof(mybuf), 0))<=0) + if ((bytes=recv(ns, mybuf, sizeof(mybuf) - 1, 0))<=0) return -1; timeoutcount = 0; *(mybuf+bytes) = '\0';