summaryrefslogtreecommitdiff
path: root/src/map
diff options
context:
space:
mode:
authorLance <Lance@54d463be-8e91-2dee-dedb-b68131a5f0ec>2006-11-17 17:27:19 +0000
committerLance <Lance@54d463be-8e91-2dee-dedb-b68131a5f0ec>2006-11-17 17:27:19 +0000
commitdb5dbe795d5485977aa7522f2000f0fe2cda0a29 (patch)
tree0f2452b073a96e9225f23899ca9b0d394488aea5 /src/map
parentdce529d5b1443eb0215589c61dcd834a6e2f802d (diff)
downloadhercules-db5dbe795d5485977aa7522f2000f0fe2cda0a29.tar.gz
hercules-db5dbe795d5485977aa7522f2000f0fe2cda0a29.tar.bz2
hercules-db5dbe795d5485977aa7522f2000f0fe2cda0a29.tar.xz
hercules-db5dbe795d5485977aa7522f2000f0fe2cda0a29.zip
* Fixed potential hack by modifying packet of whispers.
modified Changelog-Trunk.txt modified src/map/clif.c git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@9249 54d463be-8e91-2dee-dedb-b68131a5f0ec
Diffstat (limited to 'src/map')
-rw-r--r--src/map/clif.c15
1 files changed, 13 insertions, 2 deletions
diff --git a/src/map/clif.c b/src/map/clif.c
index 63c334492..9ef8c7b94 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -9055,12 +9055,23 @@ void clif_parse_Wis(int fd, struct map_session_data *sd) { // S 0096 <len>.w <ni
struct npc_data *npc;
char split_data[10][50];
char target[NAME_LENGTH+1];
- char output[256];
+ char output[256];
+ unsigned int speclen, scanlen;
RFIFOHEAD(fd);
//printf("clif_parse_Wis: message: '%s'.\n", RFIFOP(fd,28));
- gm_command = (char*)aMallocA((strlen((const char*)RFIFOP(fd,28)) + 28)*sizeof(char)); // 24+3+(RFIFOW(fd,2)-28)+1 or 24+3+(strlen(RFIFOP(fd,28))+1 (size can be wrong with hacker)
+ // Prevent hacked packets like missing null terminator or wrong len specification. [Lance]
+ speclen = (unsigned int)RFIFOW(fd,2);
+ scanlen = strlen((const char*)RFIFOP(fd,28)) + 28;
+
+ if(scanlen != speclen){
+ ShowWarning("Hack on Whisper: %s (AID: %d)!\n", sd->status.name, sd->bl.id);
+ clif_GM_kick(sd,sd,0);
+ return;
+ }
+
+ gm_command = (char*)aMallocA(speclen * sizeof(char)); // 24+3+(RFIFOW(fd,2)-28)+1 or 24+3+(strlen(RFIFOP(fd,28))+1 (size can be wrong with hacker)
sprintf(gm_command, "%s : %s", sd->status.name, RFIFOP(fd,28));
if ((is_charcommand(fd, sd, gm_command) != CharCommand_None) ||