diff options
-rw-r--r-- | Changelog-Trunk.txt | 1 | ||||
-rw-r--r-- | src/map/clif.c | 15 |
2 files changed, 14 insertions, 2 deletions
diff --git a/Changelog-Trunk.txt b/Changelog-Trunk.txt index 432eece5f..ab0b9b5b3 100644 --- a/Changelog-Trunk.txt +++ b/Changelog-Trunk.txt @@ -4,6 +4,7 @@ AS OF SVN REV. 5091, WE ARE NOW USING TRUNK. ALL UNTESTED BUGFIXES/FEATURES GO IF YOU HAVE A WORKING AND TESTED BUGFIX PUT IT INTO STABLE AS WELL AS TRUNK.
2006/11/17
+ * Fixed potential hack by modifying packet of whispers. [Lance]
* Fixed potential crash in IRC processing message with '%' using *printf. [Lance]
* Fixed memory leaking caused by homun_data not freed when removed. [Lance]
* Fixed client not validating the chat-kick-request packet, which can cause
diff --git a/src/map/clif.c b/src/map/clif.c index 63c334492..9ef8c7b94 100644 --- a/src/map/clif.c +++ b/src/map/clif.c @@ -9055,12 +9055,23 @@ void clif_parse_Wis(int fd, struct map_session_data *sd) { // S 0096 <len>.w <ni struct npc_data *npc;
char split_data[10][50];
char target[NAME_LENGTH+1];
- char output[256];
+ char output[256];
+ unsigned int speclen, scanlen;
RFIFOHEAD(fd);
//printf("clif_parse_Wis: message: '%s'.\n", RFIFOP(fd,28));
- gm_command = (char*)aMallocA((strlen((const char*)RFIFOP(fd,28)) + 28)*sizeof(char)); // 24+3+(RFIFOW(fd,2)-28)+1 or 24+3+(strlen(RFIFOP(fd,28))+1 (size can be wrong with hacker)
+ // Prevent hacked packets like missing null terminator or wrong len specification. [Lance]
+ speclen = (unsigned int)RFIFOW(fd,2);
+ scanlen = strlen((const char*)RFIFOP(fd,28)) + 28;
+
+ if(scanlen != speclen){
+ ShowWarning("Hack on Whisper: %s (AID: %d)!\n", sd->status.name, sd->bl.id);
+ clif_GM_kick(sd,sd,0);
+ return;
+ }
+
+ gm_command = (char*)aMallocA(speclen * sizeof(char)); // 24+3+(RFIFOW(fd,2)-28)+1 or 24+3+(strlen(RFIFOP(fd,28))+1 (size can be wrong with hacker)
sprintf(gm_command, "%s : %s", sd->status.name, RFIFOP(fd,28));
if ((is_charcommand(fd, sd, gm_command) != CharCommand_None) ||
|