Fix: [Network] Determining GetNetworkRevisionString could overflow and underflow its buffer #9372
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation / Problem
Depending on the content of
_openttd_revision
and_openttd_revision_hash
,GetNetworkRevisionString()
could overflow and underflow its buffer for non-tagged releases.Practically it should not trigger if revision and revision_hash are set correctly by the build process.
In any case:
_openttd_revision_hash
is less than 10 characters, it will read beyond the bounds._openttd_revision
does not have a dash-
,hashofs
is effectively the negative hash. By "luck" it gets converted tosize_t
in the following if sohashofs
get set to something more sane but if that were not to happen,strecpy
would start atnullptr
._openttd_revision
's length is less thangithash_suffix
's length, thenhashofs
becomes negative andstrecpy
would start writing before the buffer.So, when the revision and hash are, for whatever reason, not filled there are reads and writes beyond the bounds of buffers.
Description
Rewrite the code to use
std::string
and perform the appropriate checks on sizes.See https://godbolt.org/z/bbP3fxdxE for the behavior (old and new). When adding
-fsanitize=address
the example will be broken on the old version of the code.Limitations
None, except the output differing in cases of under- and overflow.
Consideration can be made whether to backport it or not; problem is that it uses {fmt}, so some other manner of safely getting the githash should be devised in case it is going to be backported.
Checklist for review
Some things are not automated, and forgotten often. This list is a reminder for the reviewers.