summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDennis Friis <peavey@inspircd.org>2009-06-23 17:04:32 +0200
committerDennis Friis <peavey@inspircd.org>2009-06-25 01:13:21 +0200
commitd931d8e3350ebfde68bd4120e05b9b1ca940ae76 (patch)
tree28a43c5f49026d5b8b11871c5199b2945169ae67
parentc0ac4c9070fca4e2d00d4f9ebdfae76546d8e243 (diff)
downloadtmwa-d931d8e3350ebfde68bd4120e05b9b1ca940ae76.tar.gz
tmwa-d931d8e3350ebfde68bd4120e05b9b1ca940ae76.tar.bz2
tmwa-d931d8e3350ebfde68bd4120e05b9b1ca940ae76.tar.xz
tmwa-d931d8e3350ebfde68bd4120e05b9b1ca940ae76.zip
Fail storage parse if storage is dirty and unsaved. Derived from ea stable.
-rw-r--r--src/map/intif.c38
1 files changed, 31 insertions, 7 deletions
diff --git a/src/map/intif.c b/src/map/intif.c
index ca9d3c3..7f3eafc 100644
--- a/src/map/intif.c
+++ b/src/map/intif.c
@@ -579,21 +579,33 @@ int intif_parse_LoadStorage(int fd) {
struct storage *stor;
struct map_session_data *sd;
- stor = account2storage( RFIFOL(fd,4));
- if (RFIFOW(fd,2)-8 != sizeof(struct storage)) {
- if (battle_config.error_log)
- printf("intif_parse_LoadStorage: data size error %d %d\n", RFIFOW(fd,2)-8, sizeof(struct storage));
- return 1;
- }
sd=map_id2sd( RFIFOL(fd,4) );
if(sd==NULL){
if(battle_config.error_log)
printf("intif_parse_LoadStorage: user not found %d\n",RFIFOL(fd,4));
return 1;
}
+ stor = account2storage( RFIFOL(fd,4));
+ if (stor->storage_status == 1) { // Already open.. lets ignore this update
+ if (battle_config.error_log)
+ printf("intif_parse_LoadStorage: storage received for a client already open (User %d:%d)\n", sd->status.account_id, sd->status.char_id);
+ return 1;
+ }
+ if (stor->dirty) { // Already have storage, and it has been modified and not saved yet! Exploit! [Skotlex]
+ if (battle_config.error_log)
+ printf("intif_parse_LoadStorage: received storage for an already modified non-saved storage! (User %d:%d)\n", sd->status.account_id, sd->status.char_id);
+ return 1;
+ }
+
+ if (RFIFOW(fd,2)-8 != sizeof(struct storage)) {
+ if (battle_config.error_log)
+ printf("intif_parse_LoadStorage: data size error %d %d\n", RFIFOW(fd,2)-8, sizeof(struct storage));
+ return 1;
+ }
if(battle_config.save_log)
printf("intif_openstorage: %d\n",RFIFOL(fd,4) );
memcpy(stor,RFIFOP(fd,8),sizeof(struct storage));
+ stor->dirty=0;
stor->storage_status=1;
sd->state.storage_flag = 1;
clif_storageitemlist(sd,stor);
@@ -616,7 +628,9 @@ int intif_parse_LoadGuildStorage(int fd)
{
struct guild_storage *gstor;
struct map_session_data *sd;
- int guild_id = RFIFOL(fd,8);
+ int guild_id;
+
+ guild_id = RFIFOL(fd,8);
if(guild_id > 0) {
gstor=guild2storage(guild_id);
if(!gstor) {
@@ -636,6 +650,16 @@ int intif_parse_LoadGuildStorage(int fd)
printf("intif_parse_LoadGuildStorage: user not found %d\n",RFIFOL(fd,4));
return 1;
}
+ if (gstor->storage_status == 1) { // Already open.. lets ignore this update
+ if (battle_config.error_log)
+ printf("intif_parse_LoadGuildStorage: storage received for a client already open (User %d:%d)\n", sd->status.account_id, sd->status.char_id);
+ return 1;
+ }
+ if (gstor->dirty) { // Already have storage, and it has been modified and not saved yet! Exploit! [Skotlex]
+ if (battle_config.error_log)
+ printf("intif_parse_LoadGuildStorage: received storage for an already modified non-saved storage! (User %d:%d)\n", sd->status.account_id, sd->status.char_id);
+ return 1;
+ }
if(battle_config.save_log)
printf("intif_open_guild_storage: %d\n",RFIFOL(fd,4) );
memcpy(gstor,RFIFOP(fd,12),sizeof(struct guild_storage));