diff options
| author | ultramage <ultramage@54d463be-8e91-2dee-dedb-b68131a5f0ec> | 2009-04-23 15:09:17 +0000 |
|---|---|---|
| committer | ultramage <ultramage@54d463be-8e91-2dee-dedb-b68131a5f0ec> | 2009-04-23 15:09:17 +0000 |
| commit | a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1 (patch) | |
| tree | c4becea4d70a8d41b6e46db26ff019ccfff8b378 /src/map/clif.c | |
| parent | d84ca1c320b8a4942ddc5d5cc53a20568cc8bd10 (diff) | |
| download | hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.tar.gz hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.tar.bz2 hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.tar.xz hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.zip | |
Added length check to functions clif_parse_CreateChatRoom and clif_parse_ChatRoomStatusChange (bugreport:2999).
This prevents a signed/unsigned integer overflow when calling the safestrncpy function.
Also added a note regarding a potential out-of-bounds access issue in these functions.
git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@13690 54d463be-8e91-2dee-dedb-b68131a5f0ec
Diffstat (limited to 'src/map/clif.c')
| -rw-r--r-- | src/map/clif.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/src/map/clif.c b/src/map/clif.c index bc2392504..3baba439e 100644 --- a/src/map/clif.c +++ b/src/map/clif.c @@ -9095,8 +9095,8 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd) bool pub = (RFIFOB(fd,6) != 0); const char* password = (char*)RFIFOP(fd,7); //not zero-terminated const char* title = (char*)RFIFOP(fd,15); // not zero-terminated - char s_title[CHATROOM_TITLE_SIZE]; char s_password[CHATROOM_PASS_SIZE]; + char s_title[CHATROOM_TITLE_SIZE]; if (sd->sc.data[SC_NOCHAT] && sd->sc.data[SC_NOCHAT]->val1&MANNER_NOROOM) return; @@ -9105,8 +9105,11 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd) return; } - safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); + if( len <= 0 ) + return; // invalid input + safestrncpy(s_password, password, CHATROOM_PASS_SIZE); + safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte chat_createpcchat(sd, s_title, s_password, limit, pub); } @@ -9134,11 +9137,14 @@ void clif_parse_ChatRoomStatusChange(int fd, struct map_session_data* sd) bool pub = (RFIFOB(fd,6) != 0); const char* password = (char*)RFIFOP(fd,7); // not zero-terminated const char* title = (char*)RFIFOP(fd,15); // not zero-terminated - - char s_title[CHATROOM_TITLE_SIZE]; char s_password[CHATROOM_PASS_SIZE]; - safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); + char s_title[CHATROOM_TITLE_SIZE]; + + if( len <= 0 ) + return; // invalid input + safestrncpy(s_password, password, CHATROOM_PASS_SIZE); + safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte chat_changechatstatus(sd, s_title, s_password, limit, pub); } |