diff options
-rw-r--r-- | Changelog-Trunk.txt | 6 | ||||
-rw-r--r-- | src/common/socket.c | 10 |
2 files changed, 13 insertions, 3 deletions
diff --git a/Changelog-Trunk.txt b/Changelog-Trunk.txt index 546895757..81ac6ca84 100644 --- a/Changelog-Trunk.txt +++ b/Changelog-Trunk.txt @@ -3,8 +3,10 @@ Date Added AS OF SVN REV. 5091, WE ARE NOW USING TRUNK. ALL UNTESTED BUGFIXES/FEATURES GO INTO TRUNK. IF YOU HAVE A WORKING AND TESTED BUGFIX PUT IT INTO STABLE AS WELL AS TRUNK. +2009/02/20 + * Modified WFIFOSET to trigger a fatal error when trying to send a packet that is too big. [FlavioJS] 2009/02/19 - * Fixed impropper filling of w4 in npc_parsesrcfile when there are less than 4 fields. (bugreport:1063) [FlavioJS] + * Fixed improper filling of w4 in npc_parsesrcfile when there are less than 4 fields. (bugreport:1063) [FlavioJS] * Simplified atcommand_spiritball. (deprecated msg_txt 204 and 205) 2009/02/06 * Follow up to r13485. (bugreport:2741) [FlavioJS] @@ -3529,7 +3531,7 @@ IF YOU HAVE A WORKING AND TESTED BUGFIX PUT IT INTO STABLE AS WELL AS TRUNK. * Added parse_console to the plugin API. * Added plugin for parsing the console. (working with cygwin) * Copied the parse_console code form login txt to login sql and char. - * Added propper plugin version compatibility tests. + * Added proper plugin version compatibility tests. * Better output when a plugin fails to load. [FlavioJS] 2007/01/07 * Fixed the sleep timers not being removed when the an npc was being diff --git a/src/common/socket.c b/src/common/socket.c index 11493fef4..deba0e97b 100644 --- a/src/common/socket.c +++ b/src/common/socket.c @@ -630,11 +630,19 @@ int WFIFOSET(int fd, size_t len) { // actually there was a buffer overflow already uint32 ip = s->client_addr; ShowFatalError("WFIFOSET: Write Buffer Overflow. Connection %d (%d.%d.%d.%d) has written %u bytes on a %u/%u bytes buffer.\n", fd, CONVIP(ip), (unsigned int)len, (unsigned int)s->wdata_size, (unsigned int)s->max_wdata); - ShowDebug("Likely command that caused it: 0x%x\n", (*(unsigned short*)(s->wdata + s->wdata_size))); + ShowDebug("Likely command that caused it: 0x%x\n", (*(uint16*)(s->wdata + s->wdata_size))); // no other chance, make a better fifo model exit(EXIT_FAILURE); } + if( len > 0xFFFF ) + { + // dynamic packets allow up to UINT16_MAX bytes (<packet_id>.W <packet_len>.W ...) + // all known fixed-size packets are within this limit, so use the same limit + ShowFatalError("WFIFOSET: Packet 0x%x is too big. (len=%u, max=%u)\n", (*(uint16*)(s->wdata + s->wdata_size)), (unsigned int)len, 0xFFFF); + exit(EXIT_FAILURE); + } + if( !s->flag.server && s->wdata_size+len > WFIFO_MAX ) {// reached maximum write fifo size set_eof(fd); |