summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Changelog-Trunk.txt6
-rw-r--r--src/common/socket.c10
2 files changed, 13 insertions, 3 deletions
diff --git a/Changelog-Trunk.txt b/Changelog-Trunk.txt
index 546895757..81ac6ca84 100644
--- a/Changelog-Trunk.txt
+++ b/Changelog-Trunk.txt
@@ -3,8 +3,10 @@ Date Added
AS OF SVN REV. 5091, WE ARE NOW USING TRUNK. ALL UNTESTED BUGFIXES/FEATURES GO INTO TRUNK.
IF YOU HAVE A WORKING AND TESTED BUGFIX PUT IT INTO STABLE AS WELL AS TRUNK.
+2009/02/20
+ * Modified WFIFOSET to trigger a fatal error when trying to send a packet that is too big. [FlavioJS]
2009/02/19
- * Fixed impropper filling of w4 in npc_parsesrcfile when there are less than 4 fields. (bugreport:1063) [FlavioJS]
+ * Fixed improper filling of w4 in npc_parsesrcfile when there are less than 4 fields. (bugreport:1063) [FlavioJS]
* Simplified atcommand_spiritball. (deprecated msg_txt 204 and 205)
2009/02/06
* Follow up to r13485. (bugreport:2741) [FlavioJS]
@@ -3529,7 +3531,7 @@ IF YOU HAVE A WORKING AND TESTED BUGFIX PUT IT INTO STABLE AS WELL AS TRUNK.
* Added parse_console to the plugin API.
* Added plugin for parsing the console. (working with cygwin)
* Copied the parse_console code form login txt to login sql and char.
- * Added propper plugin version compatibility tests.
+ * Added proper plugin version compatibility tests.
* Better output when a plugin fails to load. [FlavioJS]
2007/01/07
* Fixed the sleep timers not being removed when the an npc was being
diff --git a/src/common/socket.c b/src/common/socket.c
index 11493fef4..deba0e97b 100644
--- a/src/common/socket.c
+++ b/src/common/socket.c
@@ -630,11 +630,19 @@ int WFIFOSET(int fd, size_t len)
{ // actually there was a buffer overflow already
uint32 ip = s->client_addr;
ShowFatalError("WFIFOSET: Write Buffer Overflow. Connection %d (%d.%d.%d.%d) has written %u bytes on a %u/%u bytes buffer.\n", fd, CONVIP(ip), (unsigned int)len, (unsigned int)s->wdata_size, (unsigned int)s->max_wdata);
- ShowDebug("Likely command that caused it: 0x%x\n", (*(unsigned short*)(s->wdata + s->wdata_size)));
+ ShowDebug("Likely command that caused it: 0x%x\n", (*(uint16*)(s->wdata + s->wdata_size)));
// no other chance, make a better fifo model
exit(EXIT_FAILURE);
}
+ if( len > 0xFFFF )
+ {
+ // dynamic packets allow up to UINT16_MAX bytes (<packet_id>.W <packet_len>.W ...)
+ // all known fixed-size packets are within this limit, so use the same limit
+ ShowFatalError("WFIFOSET: Packet 0x%x is too big. (len=%u, max=%u)\n", (*(uint16*)(s->wdata + s->wdata_size)), (unsigned int)len, 0xFFFF);
+ exit(EXIT_FAILURE);
+ }
+
if( !s->flag.server && s->wdata_size+len > WFIFO_MAX )
{// reached maximum write fifo size
set_eof(fd);