Date: Wed, 17 Feb 1999 13:03:45 -0800
From: Steven Hodges 
To: BUGTRAQ@netspace.org
Subject: Tetrix 1.13.16 is Vulnerable

   I have recently found a buffer overflow in a TetriNet daemon for Linux
called "Tetrix". To exploit this bug, you will need a hostname longer than
122 characters, and any method of connecting to the host on port 31457.
Once you are connected, the overflow should take place.

here is the patch!


----------------------------------snip snip-------------------------------
diff -ru tetrinetx-1.13.16.orig/src/main.c tetrinetx-1.13.16/src/main.c
--- tetrinetx-1.13.16.orig/src/main.c   Thu Dec 24 00:24:50 1998
+++ tetrinetx-1.13.16/src/main.c        Sun Feb 14 16:22:45 1999
@@ -2561,7 +2562,7 @@
 /* Someone has just connected. So lets answer them */
 void net_telnet(struct net_t *n, char *buf)
   {
-    unsigned long ip; int k,l; char s[121]; char strg[121];
+    unsigned long ip; int k,l; char s[UHOSTLEN]; char strg[121];
     char n1[4], n2[4], n3[4], n4[4];
     struct channel_t *chan, *ochan;
     struct net_t *net;
diff -ru tetrinetx-1.13.16.orig/src/main.h tetrinetx-1.13.16/src/main.h
--- tetrinetx-1.13.16.orig/src/main.h   Thu Dec 24 00:24:50 1998
+++ tetrinetx-1.13.16/src/main.h        Sun Feb 14 16:19:06 1999
@@ -48,9 +48,8 @@
 #define SERVERBUILD "16"               /* What build we are at */
 #define NICKLEN 30                     /* Maximum length of Nickname */
 #define VERLEN 10                      /* Maximum length of Tetrinet version */
-#define UHOSTLEN 30                    /* Maximum length of Hostname */
+#define UHOSTLEN 256                   /* Maximum length of Hostname */
 #define TEAMLEN NICKLEN                        /* Maximum length of teamname */
-/*#define MAXNET 80*/                  /* Maximum network sockets */
 #define MAXWINLIST 100                 /* Maximum entries on Winlist */
 #define TELNET_PORT 31457              /* Telnet port to listen on */
 #define QUERY_PORT 31456               /* Query port to listen on */
diff -ru tetrinetx-1.13.16.orig/src/net.c tetrinetx-1.13.16/src/net.c
--- tetrinetx-1.13.16.orig/src/net.c    Thu Dec 24 00:24:50 1998
+++ tetrinetx-1.13.16/src/net.c Sun Feb 14 16:22:11 1999
@@ -250,15 +250,17 @@
 unsigned long ip;
 {
   struct hostent *hp; unsigned long addr=ip;
-  unsigned char *p; static char s[121];
-/*  alarm(10);*/
+  unsigned char *p; static char s[UHOSTLEN];
+
   hp=gethostbyaddr((char *)&addr,sizeof(addr),AF_INET); /*alarm(0);*/
   if (hp==NULL) {
     p=(unsigned char *)&addr;
     sprintf(s,"%u.%u.%u.%u",p[0],p[1],p[2],p[3]);
     return s;
   }
-  strcpy(s,hp->h_name); return s;
+  strncpy(s,hp->h_name,(UHOSTLEN-1));
+  s[strlen(s)]='\0';
+  return s;
 }

 /* short routine to answer a connect received on a socket made previously
----------------------------------snip snip-------------------------------

    Source: geocities.com/dharan6/library/hack99

               ( geocities.com/dharan6/library)                   ( geocities.com/dharan6)