Safe handling of TEGid/auth_id strings

src/core/CNStructs.hpp

@@ -40,6 +40,7 @@
 
 // wrapper for U16toU8
 #define ARRLEN(x) (sizeof(x)/sizeof(*x))
+#define AUTOU8(x) std::string(x, ARRLEN(x))
 #define AUTOU16TOU8(x) U16toU8(x, ARRLEN(x)) 
 
 // TODO: rewrite U16toU8 & U8toU16 to not use codecvt

src/servers/CNLoginServer.cpp

@@ -109,18 +109,19 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
 
     std::string userLogin;
     std::string userPassword;
+
+    /*
+     * The std::string -> char* -> std::string maneuver should remove any
+     * trailing garbage after the null terminator.
+     */
     if (isCookieAuth) {
         // username encoded in TEGid raw
-        userLogin = std::string((char*)login->szCookie_TEGid);
+        userLogin = std::string(AUTOU8((char*)login->szCookie_TEGid).c_str());
 
-        // clients that use web login but without proper cookies
+        // N.B. clients that use web login without proper cookies
-        // send their passwords instead, so store that
+        // send their passwords in the cookie field
-        userPassword = std::string((char*)login->szCookie_authid);
+        userPassword = std::string(AUTOU8((char*)login->szCookie_authid).c_str());
     } else {
-        /*
-         * The std::string -> char* -> std::string maneuver should remove any
-         * trailing garbage after the null terminator.
-         */
         userLogin = std::string(AUTOU16TOU8(login->szID).c_str());
         userPassword = std::string(AUTOU16TOU8(login->szPassword).c_str());
     }
@@ -171,7 +172,7 @@ void CNLoginServer::login(CNSocket* sock, CNPacketData* data) {
     }
 
     if (isCookieAuth) {
-        const char *cookie = reinterpret_cast<const char*>(login->szCookie_authid);
+        const char *cookie = userPassword.c_str();
         if (!Database::checkCookie(findUser.AccountID, cookie))
             return loginFail(LoginError::ID_AND_PASSWORD_DO_NOT_MATCH, userLogin, sock);
     } else {