Follow-up Comment #3, bug #20003 (project freeciv):
Thank you for your patch which fixes part A].
As to part B], it seems that the infinite loop comes from this part of
common/generate_packets.py:
<pre>
544 else:
545 return '''
546 for (;;) {
547 int i;
548
549 dio_get_uint8(&din, &i);
550 if(i == 255) {
551 break;
552 }
553 if(i > %(array_size_u)s) {
554 log_error("packets_gen.c: WARNING: ignoring intra array diff");
555 } else {
556 %(c)s
557 }
558 }'''%self.get_dict(vars())
</pre>
The only way out of the for(;;) is if we manage to read 255.
(What seems odd is that the exploit seems to send many 0xff's, and I would
have expected the opposite)
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?20003>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Freeciv-dev mailing list
[email protected]
https://mail.gna.org/listinfo/freeciv-dev
