From d84d35044f5371ff5ed28a406a672bc455ab66ef Mon Sep 17 00:00:00 2001 From: Lance Date: Sun, 21 May 2006 02:37:36 +0000 Subject: * Exploit prevention in clif_parse_NpcStringInput git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@6670 54d463be-8e91-2dee-dedb-b68131a5f0ec --- src/map/clif.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/map/clif.c b/src/map/clif.c index 1a52a33d1..e98d8e363 100644 --- a/src/map/clif.c +++ b/src/map/clif.c @@ -9800,14 +9800,18 @@ void clif_parse_NpcAmountInput(int fd,struct map_session_data *sd) */ void clif_parse_NpcStringInput(int fd,struct map_session_data *sd) { + unsigned short message_len = RFIFOW(fd,2)-7; RFIFOHEAD(fd); - if(RFIFOW(fd,2)-7 >= sizeof(sd->npc_str)){ + if(message_len >= sizeof(sd->npc_str)){ ShowWarning("clif: input string too long !\n"); - memcpy(sd->npc_str,RFIFOP(fd,8),sizeof(sd->npc_str)); - sd->npc_str[sizeof(sd->npc_str)-1]=0; - } else - strcpy(sd->npc_str,(char*)RFIFOP(fd,8)); + message_len = sizeof(sd->npc_str); + } + + // Exploit prevention if crafted packets (without null) is being sent. [Lance] + memcpy(sd->npc_str,RFIFOP(fd,8),message_len); + sd->npc_str[message_len-1]=0; + npc_scriptcont(sd,RFIFOL(fd,4)); } -- cgit v1.2.3-70-g09d2