From a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1 Mon Sep 17 00:00:00 2001 From: ultramage Date: Thu, 23 Apr 2009 15:09:17 +0000 Subject: Added length check to functions clif_parse_CreateChatRoom and clif_parse_ChatRoomStatusChange (bugreport:2999). This prevents a signed/unsigned integer overflow when calling the safestrncpy function. Also added a note regarding a potential out-of-bounds access issue in these functions. git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@13690 54d463be-8e91-2dee-dedb-b68131a5f0ec --- src/map/clif.c | 16 +++++++++++----- src/map/mob.c | 1 - 2 files changed, 11 insertions(+), 6 deletions(-) (limited to 'src/map') diff --git a/src/map/clif.c b/src/map/clif.c index bc2392504..3baba439e 100644 --- a/src/map/clif.c +++ b/src/map/clif.c @@ -9095,8 +9095,8 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd) bool pub = (RFIFOB(fd,6) != 0); const char* password = (char*)RFIFOP(fd,7); //not zero-terminated const char* title = (char*)RFIFOP(fd,15); // not zero-terminated - char s_title[CHATROOM_TITLE_SIZE]; char s_password[CHATROOM_PASS_SIZE]; + char s_title[CHATROOM_TITLE_SIZE]; if (sd->sc.data[SC_NOCHAT] && sd->sc.data[SC_NOCHAT]->val1&MANNER_NOROOM) return; @@ -9105,8 +9105,11 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd) return; } - safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); + if( len <= 0 ) + return; // invalid input + safestrncpy(s_password, password, CHATROOM_PASS_SIZE); + safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte chat_createpcchat(sd, s_title, s_password, limit, pub); } @@ -9134,11 +9137,14 @@ void clif_parse_ChatRoomStatusChange(int fd, struct map_session_data* sd) bool pub = (RFIFOB(fd,6) != 0); const char* password = (char*)RFIFOP(fd,7); // not zero-terminated const char* title = (char*)RFIFOP(fd,15); // not zero-terminated - - char s_title[CHATROOM_TITLE_SIZE]; char s_password[CHATROOM_PASS_SIZE]; - safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); + char s_title[CHATROOM_TITLE_SIZE]; + + if( len <= 0 ) + return; // invalid input + safestrncpy(s_password, password, CHATROOM_PASS_SIZE); + safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte chat_changechatstatus(sd, s_title, s_password, limit, pub); } diff --git a/src/map/mob.c b/src/map/mob.c index a249d2724..4577ce0bd 100644 --- a/src/map/mob.c +++ b/src/map/mob.c @@ -47,7 +47,6 @@ // Move probability for mobs away from players (rate of 1000 minute) // in Aegis, this is 100% for mobs that have been activated by players and none otherwise. #define MOB_LAZYMOVEPERC(md) (md->state.spotted?1000:0) -#define MOB_LAZYWARPPERC 20 // Warp probability in the negligent mode MOB (rate of 1000 minute) #define MOB_MAX_DELAY (24*3600*1000) #define MAX_MINCHASE 30 //Max minimum chase value to use for mobs. #define RUDE_ATTACKED_COUNT 2 //After how many rude-attacks should the skill be used? -- cgit v1.2.3-70-g09d2