OpenPunk
/
OpenFusion
mirror of https://github.com/OpenFusionProject/OpenFusion.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Account for the size of packet length and ID in validation functions.

This commit is contained in:
dongresource 2020-09-08 03:01:47 +02:00
parent e90ae10746
commit 45a33758a5
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/CNProtocol.hpp
View File

@ -75,14 +75,14 @@ inline void* xmalloc(size_t sz) {
// for outbound packets
inline bool validOutVarPacket(size_t base, int32_t npayloads, size_t plsize) {
// check for multiplication overflow
if (npayloads > 0 && CN_PACKET_BUFFER_SIZE / (size_t)npayloads < plsize)
if (npayloads > 0 && (CN_PACKET_BUFFER_SIZE - 8) / (size_t)npayloads < plsize)
return false;
// it's safe to multiply
size_t trailing = npayloads * plsize;
// does it fit in a packet?
if (base + trailing > CN_PACKET_BUFFER_SIZE)
if (base + trailing > CN_PACKET_BUFFER_SIZE - 8)
return false;
// everything is a-ok!
@ -92,7 +92,7 @@ inline bool validOutVarPacket(size_t base, int32_t npayloads, size_t plsize) {
// for inbound packets
inline bool validInVarPacket(size_t base, int32_t npayloads, size_t plsize, size_t datasize) {
// check for multiplication overflow
if (npayloads > 0 && CN_PACKET_BUFFER_SIZE / (size_t)npayloads < plsize)
if (npayloads > 0 && (CN_PACKET_BUFFER_SIZE - 8) / (size_t)npayloads < plsize)
return false;
// it's safe to multiply

2
src/CombatManager.cpp
View File

@ -91,7 +91,7 @@ void CombatManager::giveReward(CNSocket *sock) {
Player *plr = PlayerManager::getPlayer(sock);
const size_t resplen = sizeof(sP_FE2CL_REP_REWARD_ITEM) + sizeof(sItemReward);
assert(resplen < CN_PACKET_BUFFER_SIZE);
assert(resplen < CN_PACKET_BUFFER_SIZE - 8);
// we know it's only one trailing struct, so we can skip full validation
uint8_t respbuf[resplen]; // not a variable length array, don't worry

2
src/ItemManager.cpp
View File

@ -679,7 +679,7 @@ void ItemManager::chestOpenHandler(CNSocket *sock, CNPacketData *data) {
// item giving packet
const size_t resplen = sizeof(sP_FE2CL_REP_REWARD_ITEM) + sizeof(sItemReward);
assert(resplen < CN_PACKET_BUFFER_SIZE);
assert(resplen < CN_PACKET_BUFFER_SIZE - 8);
// we know it's only one trailing struct, so we can skip full validation
uint8_t respbuf[resplen]; // not a variable length array, don't worry