From a3c4d675ba19df385be5d1e3966c61de7186da57 Mon Sep 17 00:00:00 2001
From: shennetsind <ind@henn.et>
Date: Sat, 17 Jan 2015 20:18:49 -0200
Subject: 27 Fixes

Addressing out of bounds read/write, pointless null checks on already deferenced variables.
Special Thanks to 4144 and Haruna!

Signed-off-by: shennetsind <ind@henn.et>
---
 src/char/inter.c | 36 +++++++++++++++---------------------
 1 file changed, 15 insertions(+), 21 deletions(-)

(limited to 'src/char')

diff --git a/src/char/inter.c b/src/char/inter.c
index e60da2b4f..6cd34dc39 100644
--- a/src/char/inter.c
+++ b/src/char/inter.c
@@ -780,24 +780,18 @@ static int inter_config_read(const char* cfgName)
 			continue;
 
 		if(!strcmpi(w1,"char_server_ip")) {
-			strcpy(char_server_ip,w2);
-		} else
-		if(!strcmpi(w1,"char_server_port")) {
+			safestrncpy(char_server_ip, w2, sizeof(char_server_ip));
+		} else if(!strcmpi(w1,"char_server_port")) {
 			char_server_port = atoi(w2);
-		} else
-		if(!strcmpi(w1,"char_server_id")) {
-			strcpy(char_server_id,w2);
-		} else
-		if(!strcmpi(w1,"char_server_pw")) {
-			strcpy(char_server_pw,w2);
-		} else
-		if(!strcmpi(w1,"char_server_db")) {
-			strcpy(char_server_db,w2);
-		} else
-		if(!strcmpi(w1,"default_codepage")) {
-			strcpy(default_codepage,w2);
-		}
-		else if(!strcmpi(w1,"party_share_level"))
+		} else if(!strcmpi(w1,"char_server_id")) {
+			safestrncpy(char_server_id, w2, sizeof(char_server_id));
+		} else if(!strcmpi(w1,"char_server_pw")) {
+			safestrncpy(char_server_pw, w2, sizeof(char_server_pw));
+		} else if(!strcmpi(w1,"char_server_db")) {
+			safestrncpy(char_server_db, w2, sizeof(char_server_db));
+		} else if(!strcmpi(w1,"default_codepage")) {
+			safestrncpy(default_codepage, w2, sizeof(default_codepage));
+		} else if(!strcmpi(w1,"party_share_level"))
 			party_share_level = atoi(w2);
 		else if(!strcmpi(w1,"log_inter"))
 			log_inter = atoi(w2);
@@ -931,8 +925,7 @@ int mapif_broadcast(unsigned char *mes, int len, unsigned int fontColor, short f
 	memcpy(WBUFP(buf,16), mes, len - 16);
 	mapif->sendallwos(sfd, buf, len);
 
-	if (buf)
-		aFree(buf);
+	aFree(buf);
 	return 0;
 }
 
@@ -940,8 +933,9 @@ int mapif_broadcast(unsigned char *mes, int len, unsigned int fontColor, short f
 int mapif_wis_message(struct WisData *wd)
 {
 	unsigned char buf[2048];
-	if (wd->len > 2047-56) wd->len = 2047-56; //Force it to fit to avoid crashes. [Skotlex]
-
+	//if (wd->len > 2047-56) wd->len = 2047-56; //Force it to fit to avoid crashes. [Skotlex]
+	if( wd->len >= sizeof(wd->msg) - 1 ) wd->len = sizeof(wd->msg) - 1;
+	
 	WBUFW(buf, 0) = 0x3801;
 	WBUFW(buf, 2) = 56 +wd->len;
 	WBUFL(buf, 4) = wd->id;
-- 
cgit v1.2.3-60-g2f50