The problems are the following:
1)
stack buffer-overflow in metaGetServerList
the buffer of 1024 bytes called buf can be overflowed by a server entry
longer than that size.
exists also an overflow in the servers buffer but it's static and so
doens't seems possible to use this bug for executing malicious code.
from meta.c:
int metaGetServerList(char *remotehost, metaSRec_t **srvlist)
{
static metaSRec_t servers[META_MAXSERVERS];
...
char buf[1024]; /* server buffer */
...
off = 0;
while (read(s, &c, 1) > 0)
{
if (c != '\n')
{
buf[off++] = c;
}
else
{ /* we got one */
buf[off] = 0;
/* convert to a metaSRec_t */
if (str2srec(&servers[nums], buf))
nums++;
...
2)
memory corruption with SP_CLIENTSTAT
the instructions which handle this type of packet don't sanitize the
snum and unum value passed by the server.
the problem of snum is more simple and quick to see since it's handled
immediately when the packet is received allowing the writing of a byte
(scstat->team) in some memory positions outside the Ship structure:
from client.c:
void processPacket(Unsgn8 *buf)
...
case SP_CLIENTSTAT:
scstat = (spClientStat_t *)buf;
Context.snum = scstat->snum;
Context.unum = (int)ntohs(scstat->unum);
Ships[Context.snum].team = scstat->team;
clientFlags = scstat->flags;
break;
...
Let me know if you need other info.