From ae9d0666afe45b56b91613c190cc18d2ea174895 Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Thu, 18 Sep 2014 01:55:17 +0200 Subject: [PATCH 1/7] wumpus: Fix use after free leading to possible memory corruption when the wumpus eats a player CID: 1170468 --- wumpus.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/wumpus.c b/wumpus.c index 8c3c21c..eecfb7f 100644 --- a/wumpus.c +++ b/wumpus.c @@ -630,9 +630,11 @@ move_wumpus(void *unused) /* player_t *p has been eaten and is no longer in the game */ resign_player(p); } - - /* prepare for the next turn */ - p->has_moved = false; + else + { + /* prepare for the next turn */ + p->has_moved = false; + } } /* report any wumpus kills */ From 4cf851713fc843660c4c0a535d0fb5301ec3da72 Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Thu, 18 Sep 2014 01:58:14 +0200 Subject: [PATCH 2/7] os_trace: Fix inverted NULL check in trace_kill_exec() CID: 1170539 --- os_trace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os_trace.c b/os_trace.c index 874ce38..7763503 100644 --- a/os_trace.c +++ b/os_trace.c @@ -579,7 +579,7 @@ static void trace_kill_exec(user_t *u, trace_action_t *act) return; if (u->myuser && is_soper(u->myuser)) return; - if ((svs = service_find("operserv")) != NULL) + if ((svs = service_find("operserv")) == NULL) return; act->matched = true; From cd6b5cb478d4128799adc2c6803349077f56c5f3 Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Thu, 18 Sep 2014 02:00:24 +0200 Subject: [PATCH 3/7] gen_echoserver: Fix use after free in my_rhandler() CID: 1170467 --- gen_echoserver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gen_echoserver.c b/gen_echoserver.c index 74d7ed2..1655e0e 100644 --- a/gen_echoserver.c +++ b/gen_echoserver.c @@ -60,7 +60,7 @@ static void my_rhandler(connection_t * cptr) if (!my_read(cptr, buf)) connection_close(cptr); - + else do_packet(cptr, buf); } From 34415258385541d6ce8832ecad8dd72e2d5f45db Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Thu, 18 Sep 2014 02:01:10 +0200 Subject: [PATCH 4/7] gen_echoserver: Fix inadequate check of the return value of recv() --- gen_echoserver.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gen_echoserver.c b/gen_echoserver.c index 1655e0e..88c873d 100644 --- a/gen_echoserver.c +++ b/gen_echoserver.c @@ -58,7 +58,7 @@ static void my_rhandler(connection_t * cptr) { char buf[BUFSIZE * 2]; - if (!my_read(cptr, buf)) + if (my_read(cptr, buf) <= 0) connection_close(cptr); else do_packet(cptr, buf); From 6b30dd8bf9b8955d231cf9448429b40da86ca8c9 Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Thu, 18 Sep 2014 02:02:19 +0200 Subject: [PATCH 5/7] gen_listenerdemo: Fix uninitialized memory being passed to do_packet() from my_rhandler() CID: 1170502 --- gen_listenerdemo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gen_listenerdemo.c b/gen_listenerdemo.c index 7305524..8b87bc7 100644 --- a/gen_listenerdemo.c +++ b/gen_listenerdemo.c @@ -64,7 +64,7 @@ static void my_rhandler(connection_t * cptr) if (!my_read(cptr, buf)) connection_close(cptr); - + else do_packet(buf); } From 3ab69700ac2e717a76e1995092c9bbc403bc893c Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Thu, 18 Sep 2014 02:02:59 +0200 Subject: [PATCH 6/7] gen_listenerdemo: Fix inadequate check of the return value of recv() --- gen_listenerdemo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gen_listenerdemo.c b/gen_listenerdemo.c index 8b87bc7..dd8414b 100644 --- a/gen_listenerdemo.c +++ b/gen_listenerdemo.c @@ -62,7 +62,7 @@ static void my_rhandler(connection_t * cptr) { char buf[BUFSIZE * 2]; - if (!my_read(cptr, buf)) + if (my_read(cptr, buf) <= 0) connection_close(cptr); else do_packet(buf); From 04dc96b771521aef1cdbfc6f0fb35d234e0eab73 Mon Sep 17 00:00:00 2001 From: Attila Molnar Date: Thu, 18 Sep 2014 02:04:21 +0200 Subject: [PATCH 7/7] dnsbl: Fix memory leak in dnsbl_config_handler() CID: 1170515 --- dnsbl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/dnsbl.c b/dnsbl.c index 51abf91..8d79c55 100644 --- a/dnsbl.c +++ b/dnsbl.c @@ -444,6 +444,7 @@ static int dnsbl_config_handler(mowgli_config_file_entry_t *ce) { char *line = sstrdup(cce->varname); new_blacklist(line); + free(line); } return 0;