Account for the size of packet length and ID in validation functions.

This commit is contained in:
dongresource 2020-09-08 03:01:47 +02:00
parent e90ae10746
commit 45a33758a5
3 changed files with 5 additions and 5 deletions

View File

@ -75,14 +75,14 @@ inline void* xmalloc(size_t sz) {
// for outbound packets // for outbound packets
inline bool validOutVarPacket(size_t base, int32_t npayloads, size_t plsize) { inline bool validOutVarPacket(size_t base, int32_t npayloads, size_t plsize) {
// check for multiplication overflow // check for multiplication overflow
if (npayloads > 0 && CN_PACKET_BUFFER_SIZE / (size_t)npayloads < plsize) if (npayloads > 0 && (CN_PACKET_BUFFER_SIZE - 8) / (size_t)npayloads < plsize)
return false; return false;
// it's safe to multiply // it's safe to multiply
size_t trailing = npayloads * plsize; size_t trailing = npayloads * plsize;
// does it fit in a packet? // does it fit in a packet?
if (base + trailing > CN_PACKET_BUFFER_SIZE) if (base + trailing > CN_PACKET_BUFFER_SIZE - 8)
return false; return false;
// everything is a-ok! // everything is a-ok!
@ -92,7 +92,7 @@ inline bool validOutVarPacket(size_t base, int32_t npayloads, size_t plsize) {
// for inbound packets // for inbound packets
inline bool validInVarPacket(size_t base, int32_t npayloads, size_t plsize, size_t datasize) { inline bool validInVarPacket(size_t base, int32_t npayloads, size_t plsize, size_t datasize) {
// check for multiplication overflow // check for multiplication overflow
if (npayloads > 0 && CN_PACKET_BUFFER_SIZE / (size_t)npayloads < plsize) if (npayloads > 0 && (CN_PACKET_BUFFER_SIZE - 8) / (size_t)npayloads < plsize)
return false; return false;
// it's safe to multiply // it's safe to multiply

View File

@ -91,7 +91,7 @@ void CombatManager::giveReward(CNSocket *sock) {
Player *plr = PlayerManager::getPlayer(sock); Player *plr = PlayerManager::getPlayer(sock);
const size_t resplen = sizeof(sP_FE2CL_REP_REWARD_ITEM) + sizeof(sItemReward); const size_t resplen = sizeof(sP_FE2CL_REP_REWARD_ITEM) + sizeof(sItemReward);
assert(resplen < CN_PACKET_BUFFER_SIZE); assert(resplen < CN_PACKET_BUFFER_SIZE - 8);
// we know it's only one trailing struct, so we can skip full validation // we know it's only one trailing struct, so we can skip full validation
uint8_t respbuf[resplen]; // not a variable length array, don't worry uint8_t respbuf[resplen]; // not a variable length array, don't worry

View File

@ -679,7 +679,7 @@ void ItemManager::chestOpenHandler(CNSocket *sock, CNPacketData *data) {
// item giving packet // item giving packet
const size_t resplen = sizeof(sP_FE2CL_REP_REWARD_ITEM) + sizeof(sItemReward); const size_t resplen = sizeof(sP_FE2CL_REP_REWARD_ITEM) + sizeof(sItemReward);
assert(resplen < CN_PACKET_BUFFER_SIZE); assert(resplen < CN_PACKET_BUFFER_SIZE - 8);
// we know it's only one trailing struct, so we can skip full validation // we know it's only one trailing struct, so we can skip full validation
uint8_t respbuf[resplen]; // not a variable length array, don't worry uint8_t respbuf[resplen]; // not a variable length array, don't worry