From 45a33758a525a5e53a3201b7fee8c18a6518a08e Mon Sep 17 00:00:00 2001 From: dongresource Date: Tue, 8 Sep 2020 03:01:47 +0200 Subject: [PATCH] Account for the size of packet length and ID in validation functions. --- src/CNProtocol.hpp | 6 +++--- src/CombatManager.cpp | 2 +- src/ItemManager.cpp | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/CNProtocol.hpp b/src/CNProtocol.hpp index cc47ece..c83c26e 100644 --- a/src/CNProtocol.hpp +++ b/src/CNProtocol.hpp @@ -75,14 +75,14 @@ inline void* xmalloc(size_t sz) { // for outbound packets inline bool validOutVarPacket(size_t base, int32_t npayloads, size_t plsize) { // check for multiplication overflow - if (npayloads > 0 && CN_PACKET_BUFFER_SIZE / (size_t)npayloads < plsize) + if (npayloads > 0 && (CN_PACKET_BUFFER_SIZE - 8) / (size_t)npayloads < plsize) return false; // it's safe to multiply size_t trailing = npayloads * plsize; // does it fit in a packet? - if (base + trailing > CN_PACKET_BUFFER_SIZE) + if (base + trailing > CN_PACKET_BUFFER_SIZE - 8) return false; // everything is a-ok! @@ -92,7 +92,7 @@ inline bool validOutVarPacket(size_t base, int32_t npayloads, size_t plsize) { // for inbound packets inline bool validInVarPacket(size_t base, int32_t npayloads, size_t plsize, size_t datasize) { // check for multiplication overflow - if (npayloads > 0 && CN_PACKET_BUFFER_SIZE / (size_t)npayloads < plsize) + if (npayloads > 0 && (CN_PACKET_BUFFER_SIZE - 8) / (size_t)npayloads < plsize) return false; // it's safe to multiply diff --git a/src/CombatManager.cpp b/src/CombatManager.cpp index bb77b75..afeedcc 100644 --- a/src/CombatManager.cpp +++ b/src/CombatManager.cpp @@ -91,7 +91,7 @@ void CombatManager::giveReward(CNSocket *sock) { Player *plr = PlayerManager::getPlayer(sock); const size_t resplen = sizeof(sP_FE2CL_REP_REWARD_ITEM) + sizeof(sItemReward); - assert(resplen < CN_PACKET_BUFFER_SIZE); + assert(resplen < CN_PACKET_BUFFER_SIZE - 8); // we know it's only one trailing struct, so we can skip full validation uint8_t respbuf[resplen]; // not a variable length array, don't worry diff --git a/src/ItemManager.cpp b/src/ItemManager.cpp index d43817a..5335126 100644 --- a/src/ItemManager.cpp +++ b/src/ItemManager.cpp @@ -679,7 +679,7 @@ void ItemManager::chestOpenHandler(CNSocket *sock, CNPacketData *data) { // item giving packet const size_t resplen = sizeof(sP_FE2CL_REP_REWARD_ITEM) + sizeof(sItemReward); - assert(resplen < CN_PACKET_BUFFER_SIZE); + assert(resplen < CN_PACKET_BUFFER_SIZE - 8); // we know it's only one trailing struct, so we can skip full validation uint8_t respbuf[resplen]; // not a variable length array, don't worry