diff options
| author | ultramage <ultramage@54d463be-8e91-2dee-dedb-b68131a5f0ec> | 2009-04-23 15:09:17 +0000 |
|---|---|---|
| committer | ultramage <ultramage@54d463be-8e91-2dee-dedb-b68131a5f0ec> | 2009-04-23 15:09:17 +0000 |
| commit | a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1 (patch) | |
| tree | c4becea4d70a8d41b6e46db26ff019ccfff8b378 /src | |
| parent | d84ca1c320b8a4942ddc5d5cc53a20568cc8bd10 (diff) | |
| download | hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.tar.gz hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.tar.bz2 hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.tar.xz hercules-a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1.zip | |
Added length check to functions clif_parse_CreateChatRoom and clif_parse_ChatRoomStatusChange (bugreport:2999).
This prevents a signed/unsigned integer overflow when calling the safestrncpy function.
Also added a note regarding a potential out-of-bounds access issue in these functions.
git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@13690 54d463be-8e91-2dee-dedb-b68131a5f0ec
Diffstat (limited to 'src')
| -rw-r--r-- | src/map/clif.c | 16 | ||||
| -rw-r--r-- | src/map/mob.c | 1 |
2 files changed, 11 insertions, 6 deletions
diff --git a/src/map/clif.c b/src/map/clif.c index bc2392504..3baba439e 100644 --- a/src/map/clif.c +++ b/src/map/clif.c @@ -9095,8 +9095,8 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd) bool pub = (RFIFOB(fd,6) != 0); const char* password = (char*)RFIFOP(fd,7); //not zero-terminated const char* title = (char*)RFIFOP(fd,15); // not zero-terminated - char s_title[CHATROOM_TITLE_SIZE]; char s_password[CHATROOM_PASS_SIZE]; + char s_title[CHATROOM_TITLE_SIZE]; if (sd->sc.data[SC_NOCHAT] && sd->sc.data[SC_NOCHAT]->val1&MANNER_NOROOM) return; @@ -9105,8 +9105,11 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd) return; } - safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); + if( len <= 0 ) + return; // invalid input + safestrncpy(s_password, password, CHATROOM_PASS_SIZE); + safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte chat_createpcchat(sd, s_title, s_password, limit, pub); } @@ -9134,11 +9137,14 @@ void clif_parse_ChatRoomStatusChange(int fd, struct map_session_data* sd) bool pub = (RFIFOB(fd,6) != 0); const char* password = (char*)RFIFOP(fd,7); // not zero-terminated const char* title = (char*)RFIFOP(fd,15); // not zero-terminated - - char s_title[CHATROOM_TITLE_SIZE]; char s_password[CHATROOM_PASS_SIZE]; - safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); + char s_title[CHATROOM_TITLE_SIZE]; + + if( len <= 0 ) + return; // invalid input + safestrncpy(s_password, password, CHATROOM_PASS_SIZE); + safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte chat_changechatstatus(sd, s_title, s_password, limit, pub); } diff --git a/src/map/mob.c b/src/map/mob.c index a249d2724..4577ce0bd 100644 --- a/src/map/mob.c +++ b/src/map/mob.c @@ -47,7 +47,6 @@ // Move probability for mobs away from players (rate of 1000 minute) // in Aegis, this is 100% for mobs that have been activated by players and none otherwise. #define MOB_LAZYMOVEPERC(md) (md->state.spotted?1000:0) -#define MOB_LAZYWARPPERC 20 // Warp probability in the negligent mode MOB (rate of 1000 minute) #define MOB_MAX_DELAY (24*3600*1000) #define MAX_MINCHASE 30 //Max minimum chase value to use for mobs. #define RUDE_ATTACKED_COUNT 2 //After how many rude-attacks should the skill be used? |