fix buffer overflow and format string bug in auth server response

processing


git-svn-id: svn://svn.icculus.org/quake3/trunk@1025 edf5b092-35ff-0310-97b2-ce42778d08ea

2 files changed, 3 insertions, 6 deletions

diff --git a/code/qcommon/net_chan.c b/code/qcommon/net_chan.c
index ac617cb..26f76db 100644
--- a/code/qcommon/net_chan.c
+++ b/code/qcommon/net_chan.c
@@ -719,7 +719,7 @@ void QDECL NET_OutOfBandPrint( netsrc_t sock, netadr_t adr, const char *format,
 	string[3] = -1;
 
 	va_start( argptr, format );
-	vsprintf( string+4, format, argptr );
+	vsnprintf( string+4, sizeof(string)-4, format, argptr );
 	va_end( argptr );
 
 	// send the datagram
diff --git a/code/server/sv_client.c b/code/server/sv_client.c
index 5685457..3a4a74b 100644
--- a/code/server/sv_client.c
+++ b/code/server/sv_client.c
@@ -149,7 +149,6 @@ void SV_AuthorizeIpPacket( netadr_t from ) {
 	int		i;
 	char	*s;
 	char	*r;
-	char	ret[1024];
 
 	if ( !NET_CompareBaseAdr( from, svs.authorizeAddress ) ) {
 		Com_Printf( "SV_AuthorizeIpPacket: not from authorize server\n" );
@@ -195,8 +194,7 @@ void SV_AuthorizeIpPacket( netadr_t from ) {
 		if (!r) {
 			NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, "print\nAwaiting CD key authorization\n" );
 		} else {
-			sprintf(ret, "print\n%s\n", r);
-			NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, ret );
+			NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, "print\n%s\n", r);
 		}
 		// clear the challenge record so it won't timeout and let them through
 		Com_Memset( &svs.challenges[i], 0, sizeof( svs.challenges[i] ) );
@@ -207,8 +205,7 @@ void SV_AuthorizeIpPacket( netadr_t from ) {
 	if (!r) {
 		NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, "print\nSomeone is using this CD Key\n" );
 	} else {
-		sprintf(ret, "print\n%s\n", r);
-		NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, ret );
+		NET_OutOfBandPrint( NS_SERVER, svs.challenges[i].adr, "print\n%s\n", r );
 	}
 
 	// clear the challenge record so it won't timeout and let them through