Add missing checks info clif_parse_* functions.

author: Andrei Karas <akaras@inbox.ru> 2018-02-24 01:03:38 +0300
committer: Andrei Karas <akaras@inbox.ru> 2018-02-27 19:09:23 +0300
commit: eda3e91684c6364b55d740f0c78a669705b867a6 (patch)
tree: 514c49a63599fec36706d59c1dc2abd5734bd615
parent: 3280c97ff6cd7e8dd5d40b4af28d0eadfbd5f33d (diff)
download: hercules-eda3e91684c6364b55d740f0c78a669705b867a6.tar.gz
hercules-eda3e91684c6364b55d740f0c78a669705b867a6.tar.bz2
hercules-eda3e91684c6364b55d740f0c78a669705b867a6.tar.xz
hercules-eda3e91684c6364b55d740f0c78a669705b867a6.zip
1 files changed, 139 insertions, 58 deletions
diff --git a/src/map/clif.c b/src/map/clif.c
index 7c314b075..f8f50c7ee 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -10999,13 +10999,21 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd) __attribute_
 void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd)
 {
 	int len = RFIFOW(fd,2)-15;
-	int limit = RFIFOW(fd,4);
-	bool pub = (RFIFOB(fd,6) != 0);
-	const char *password = RFIFOP(fd,7); //not zero-terminated
-	const char *title = RFIFOP(fd,15); // not zero-terminated
+	int limit;
+	bool pub;
+	const char *password; //not zero-terminated
+	const char *title; // not zero-terminated
 	char s_password[CHATROOM_PASS_SIZE];
 	char s_title[CHATROOM_TITLE_SIZE];
 
+	if (len < 1)
+		return;
+
+	limit = RFIFOW(fd, 4);
+	pub = (RFIFOB(fd, 6) != 0);
+	password = RFIFOP(fd, 7); //not zero-terminated
+	title = RFIFOP(fd, 15); // not zero-terminated
+
 	if (pc_ismuted(&sd->sc, MANNER_NOROOM))
 		return;
 	if(battle_config.basic_skill_check && !pc->check_basicskill(sd, 4)) {
@@ -11021,9 +11029,6 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd)
 		return;
 	}
 
-	if( len <= 0 )
-		return; // invalid input
-
 	safestrncpy(s_password, password, CHATROOM_PASS_SIZE);
 	safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte
 
@@ -11050,15 +11055,20 @@ void clif_parse_ChatRoomStatusChange(int fd, struct map_session_data* sd) __attr
 void clif_parse_ChatRoomStatusChange(int fd, struct map_session_data* sd)
 {
 	int len = RFIFOW(fd,2)-15;
-	int limit = RFIFOW(fd,4);
-	bool pub = (RFIFOB(fd,6) != 0);
-	const char *password = RFIFOP(fd,7); // not zero-terminated
-	const char *title = RFIFOP(fd,15); // not zero-terminated
+	int limit;
+	bool pub;
+	const char *password; // not zero-terminated
+	const char *title; // not zero-terminated
 	char s_password[CHATROOM_PASS_SIZE];
 	char s_title[CHATROOM_TITLE_SIZE];
 
-	if( len <= 0 )
-		return; // invalid input
+	if (len < 1)
+		return;
+
+	limit = RFIFOW(fd, 4);
+	pub = (RFIFOB(fd, 6) != 0);
+	password = RFIFOP(fd, 7); // not zero-terminated
+	title = RFIFOP(fd, 15); // not zero-terminated
 
 	safestrncpy(s_password, password, CHATROOM_PASS_SIZE);
 	safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte
@@ -11074,7 +11084,7 @@ void clif_parse_ChangeChatOwner(int fd, struct map_session_data* sd) __attribute
 ///     1 = normal
 void clif_parse_ChangeChatOwner(int fd, struct map_session_data* sd)
 {
-	chat->change_owner(sd, RFIFOP(fd,6));
+	chat->change_owner(sd, RFIFOP(fd,6)); // non null terminated
 }
 
 void clif_parse_KickFromChat(int fd,struct map_session_data *sd) __attribute__((nonnull (2)));
@@ -11082,7 +11092,7 @@ void clif_parse_KickFromChat(int fd,struct map_session_data *sd) __attribute__((
 /// 00e2 <name>.24B
 void clif_parse_KickFromChat(int fd,struct map_session_data *sd)
 {
-	chat->kick(sd, RFIFOP(fd,2));
+	chat->kick(sd, RFIFOP(fd,2)); // non null terminated
 }
 
 void clif_parse_ChatLeave(int fd, struct map_session_data* sd) __attribute__((nonnull (2)));
@@ -11841,17 +11851,21 @@ void clif_parse_NpcStringInput(int fd, struct map_session_data* sd) __attribute_
 /// 01d5 <packet len>.W <npc id>.L <string>.?B
 void clif_parse_NpcStringInput(int fd, struct map_session_data* sd)
 {
+	int len = RFIFOW(fd, 2);
 // [4144] can't confirm exact client version. At least >= correct for 20150513
 #if PACKETVER >= 20151029
-	int message_len = RFIFOW(fd, 2) - 7;
+	int message_len = len - 7;
 #else
-	int message_len = RFIFOW(fd, 2) - 8;
+	int message_len = len - 8;
 #endif
-	int npcid = RFIFOL(fd,4);
-	const char *message = RFIFOP(fd,8);
+	int npcid;
+	const char *message;
+
+	if (len < 9)
+		return;
 
-	if( message_len <= 0 )
-		return; // invalid input
+	npcid = RFIFOL(fd, 4);
+	message = RFIFOP(fd, 8);
 
 	safestrncpy(sd->npc_str, message, min(message_len,CHATBOX_SIZE));
 	npc->scriptcont(sd, npcid, false);
@@ -13005,9 +13019,15 @@ void clif_parse_PurchaseReq(int fd, struct map_session_data* sd) __attribute__((
 /// 0134 <packet len>.W <account id>.L { <amount>.W <index>.W }*
 void clif_parse_PurchaseReq(int fd, struct map_session_data* sd)
 {
-	int len = (int)RFIFOW(fd,2) - 8;
-	int id = RFIFOL(fd,4);
-	const uint8 *data = RFIFOP(fd,8);
+	int len = (int)RFIFOW(fd, 2) - 8;
+	int id;
+	const uint8 *data;
+
+	if (len < 1)
+		return;
+
+	id = RFIFOL(fd, 4);
+	data = RFIFOP(fd, 8);
 
 	vending->purchase(sd, id, sd->vended_id, data, len/4);
 
@@ -13020,10 +13040,16 @@ void clif_parse_PurchaseReq2(int fd, struct map_session_data* sd) __attribute__(
 /// 0801 <packet len>.W <account id>.L <unique id>.L { <amount>.W <index>.W }*
 void clif_parse_PurchaseReq2(int fd, struct map_session_data* sd)
 {
-	int len = (int)RFIFOW(fd,2) - 12;
-	int aid = RFIFOL(fd,4);
-	int uid = RFIFOL(fd,8);
-	const uint8 *data = RFIFOP(fd,12);
+	int len = (int)RFIFOW(fd, 2) - 12;
+	int aid;
+	int uid;
+	const uint8 *data;
+
+	if (len < 1)
+		return;
+	aid = RFIFOL(fd, 4);
+	uid = RFIFOL(fd, 8);
+	data = RFIFOP(fd, 12);
 
 	vending->purchase(sd, aid, uid, data, len/4);
 
@@ -13040,9 +13066,16 @@ void clif_parse_OpenVending(int fd, struct map_session_data* sd) __attribute__((
 ///     1 = open
 void clif_parse_OpenVending(int fd, struct map_session_data* sd) {
 	short len = (short)RFIFOW(fd,2) - 85;
-	const char *message = RFIFOP(fd,4);
-	bool flag = (RFIFOB(fd,84) != 0) ? true : false;
-	const uint8 *data = RFIFOP(fd,85);
+	const char *message;
+	bool flag;
+	const uint8 *data;
+
+	if (len < 1)
+		return;
+
+	message = RFIFOP(fd,4);
+	flag = (RFIFOB(fd,84) != 0) ? true : false;
+	data = RFIFOP(fd,85);
 
 	if( !flag )
 		sd->state.prevend = sd->state.workinprogress = 0;
@@ -13135,12 +13168,14 @@ void clif_parse_GuildChangePositionInfo(int fd, struct map_session_data *sd) __a
 void clif_parse_GuildChangePositionInfo(int fd, struct map_session_data *sd)
 {
 	int i;
+	int count = (RFIFOW(fd, 2) - 4) / 40;
 
-	if(!sd->state.gmaster_flag)
+	if (!sd->state.gmaster_flag)
 		return;
 
-	for(i = 4; i < RFIFOW(fd,2); i += 40 ){
-		guild->change_position(sd->status.guild_id, RFIFOL(fd,i), RFIFOL(fd,i+4), RFIFOL(fd,i+12), RFIFOP(fd,i+16));
+	for (i = 0; i < count; i ++ ) {
+		int idx = i * 40 + 4;
+		guild->change_position(sd->status.guild_id, RFIFOL(fd, idx), RFIFOL(fd, idx + 4), RFIFOL(fd, idx + 12), RFIFOP(fd, idx + 16));
 	}
 }
 
@@ -13151,6 +13186,7 @@ void clif_parse_GuildChangeMemberPosition(int fd, struct map_session_data *sd)
 {
 	int i;
 	int len = RFIFOW(fd, 2);
+	int count = (len - 4) / 12;
 
 	if(!sd->state.gmaster_flag)
 		return;
@@ -13161,10 +13197,11 @@ void clif_parse_GuildChangeMemberPosition(int fd, struct map_session_data *sd)
 		return;
 	}
 
-	for(i=4;i<RFIFOW(fd,2);i+=12){
-		int position = RFIFOL(fd, i + 8);
-		if (position > 0) {
-			guild->change_memberposition(sd->status.guild_id, RFIFOL(fd, i), RFIFOL(fd, i + 4), position);
+	for (i = 0; i < count; i++) {
+		int idx = i * 12 + 4;
+		int position = RFIFOL(fd, idx + 8);
+		if (position > 0 && position < MAX_GUILDPOSITION) {
+			guild->change_memberposition(sd->status.guild_id, RFIFOL(fd, idx), RFIFOL(fd, idx + 4), position);
 		}
 	}
 }
@@ -13548,12 +13585,15 @@ void clif_parse_GuildBreak(int fd, struct map_session_data *sd) __attribute__((n
 /// key:
 ///     now guild name; might have been (intended) email, since the
 ///     field name and size is same as the one in CH_DELETE_CHAR.
-void clif_parse_GuildBreak(int fd, struct map_session_data *sd) {
+void clif_parse_GuildBreak(int fd, struct map_session_data *sd)
+{
+	char key[40];
 	if( map->list[sd->bl.m].flag.guildlock ) {
 		clif->message(fd, msg_fd(fd,228)); // Guild modification is disabled in this map.
 		return;
 	}
-	guild->dobreak(sd, RFIFOP(fd,2));
+	safestrncpy(key, RFIFOP(fd, 2), 40);
+	guild->dobreak(sd, key);
 }
 
 /// Pet
@@ -15302,17 +15342,19 @@ void clif_parse_Mail_winopen(int fd, struct map_session_data *sd)
 void clif_parse_Mail_send(int fd, struct map_session_data *sd) __attribute__((nonnull (2)));
 /// Request to send mail (CZ_MAIL_SEND).
 /// 0248 <packet len>.W <recipient>.24B <title>.40B <body len>.B <body>.?B
+
 void clif_parse_Mail_send(int fd, struct map_session_data *sd)
 {
 	struct mail_message msg;
 	int body_len;
+	int len = RFIFOW(fd, 2);
 
 	if( !chrif->isconnected() )
 		return;
 	if( sd->state.trading )
 		return;
 
-	if( RFIFOW(fd,2) < 69 ) {
+	if (len < 69) {
 		ShowWarning("Invalid Msg Len from account %d.\n", sd->status.account_id);
 		return;
 	}
@@ -15328,6 +15370,11 @@ void clif_parse_Mail_send(int fd, struct map_session_data *sd)
 	if (body_len > MAIL_BODY_LENGTH)
 		body_len = MAIL_BODY_LENGTH;
 
+	if (body_len + 69 > len) {
+		ShowWarning("Invalid Msg Len from account %d.\n", sd->status.account_id);
+		return;
+	}
+
 	memset(&msg, 0, sizeof(msg));
 	if (!mail->setattachment(sd, &msg)) { // Invalid Append condition
 		clif->mail_send(sd->fd, true); // fail
@@ -15833,15 +15880,24 @@ void clif_parse_cashshop_buy(int fd, struct map_session_data *sd)
 		fail = npc->cashshop_buy(sd, nameid, amount, points);
 #else
 		int len = RFIFOW(fd,2);
-		int points = RFIFOL(fd,4);
-		int count = RFIFOW(fd,8);
+		int points;
+		int count;
 		struct itemlist item_list = { 0 };
 		int i;
 
-		if( len < 10 || len != 10 + count * 4) {
+		if (len < 10) {
+			ShowWarning("Player %d sent incorrect cash shop buy packet (len %d)!\n", sd->status.char_id, len);
+			return;
+		}
+
+		points = RFIFOL(fd, 4);
+		count = RFIFOW(fd, 8);
+
+		if (len != 10 + count * 4) {
 			ShowWarning("Player %d sent incorrect cash shop buy packet (len %d:%d)!\n", sd->status.char_id, len, 10 + count * 4);
 			return;
 		}
+
 		VECTOR_INIT(item_list);
 		VECTOR_ENSURE(item_list, count, 1);
 		for (i = 0; i < count; i++) {
@@ -16879,7 +16935,7 @@ void clif_parse_ItemListWindowSelected(int fd, struct map_session_data *sd) __at
 /// S 07e4 <length>.w <option>.l <val>.l {<index>.w <amount>.w).4b*
 void clif_parse_ItemListWindowSelected(int fd, struct map_session_data *sd)
 {
-	int n = ((int)RFIFOW(fd,2) - 12) / 4;
+	int n = ((int)RFIFOW(fd, 2) - 12) / 4;
 	int type = RFIFOL(fd,4);
 	int flag = RFIFOL(fd,8); // Button clicked: 0 = Cancel, 1 = OK
 	struct itemlist item_list = { 0 };
@@ -17010,7 +17066,7 @@ void clif_parse_ReqOpenBuyingStore(int fd, struct map_session_data* sd) {
 	char storename[MESSAGE_SIZE];
 	unsigned char result;
 	int zenylimit;
-	unsigned int count, packet_len;
+	int count, packet_len;
 	struct s_packet_db* info = &packet_db[RFIFOW(fd,0)];
 
 	packet_len = RFIFOW(fd,info->pos[0]);
@@ -17018,7 +17074,7 @@ void clif_parse_ReqOpenBuyingStore(int fd, struct map_session_data* sd) {
 	// TODO: Make this check global for all variable length packets.
 	if( packet_len < 89 )
 	{// minimum packet length
-		ShowError("clif_parse_ReqOpenBuyingStore: Malformed packet (expected length=%u, length=%u, account_id=%d).\n", 89U, packet_len, sd->bl.id);
+		ShowError("clif_parse_ReqOpenBuyingStore: Malformed packet (expected length=%u, length=%d, account_id=%d).\n", 89U, packet_len, sd->bl.id);
 		return;
 	}
 
@@ -17030,9 +17086,12 @@ void clif_parse_ReqOpenBuyingStore(int fd, struct map_session_data* sd) {
 	// so that buyingstore_create knows, how many elements it has access to
 	packet_len-= info->pos[4];
 
+	if (packet_len < 0)
+		return;
+
 	if( packet_len%blocksize )
 	{
-		ShowError("clif_parse_ReqOpenBuyingStore: Unexpected item list size %u (account_id=%d, block size=%u)\n", packet_len, sd->bl.id, blocksize);
+		ShowError("clif_parse_ReqOpenBuyingStore: Unexpected item list size %d (account_id=%d, block size=%u)\n", packet_len, sd->bl.id, blocksize);
 		return;
 	}
 	count = packet_len/blocksize;
@@ -17201,14 +17260,15 @@ void clif_parse_ReqTradeBuyingStore(int fd, struct map_session_data* sd) {
 	const unsigned int blocksize = 6;
 	const uint8 *itemlist;
 	int account_id;
-	unsigned int count, packet_len, buyer_id;
+	unsigned int buyer_id;
+	int count, packet_len;
 	struct s_packet_db* info = &packet_db[RFIFOW(fd,0)];
 
 	packet_len = RFIFOW(fd,info->pos[0]);
 
 	if( packet_len < 12 )
 	{// minimum packet length
-		ShowError("clif_parse_ReqTradeBuyingStore: Malformed packet (expected length=%u, length=%u, account_id=%d).\n", 12U, packet_len, sd->bl.id);
+		ShowError("clif_parse_ReqTradeBuyingStore: Malformed packet (expected length=%u, length=%d, account_id=%d).\n", 12U, packet_len, sd->bl.id);
 		return;
 	}
 
@@ -17218,10 +17278,12 @@ void clif_parse_ReqTradeBuyingStore(int fd, struct map_session_data* sd) {
 
 	// so that buyingstore_trade knows, how many elements it has access to
 	packet_len-= info->pos[3];
+	if (packet_len < 0)
+		return;
 
 	if( packet_len%blocksize )
 	{
-		ShowError("clif_parse_ReqTradeBuyingStore: Unexpected item list size %u (account_id=%d, buyer_id=%d, block size=%u)\n", packet_len, sd->bl.id, account_id, blocksize);
+		ShowError("clif_parse_ReqTradeBuyingStore: Unexpected item list size %d (account_id=%d, buyer_id=%d, block size=%u)\n", packet_len, sd->bl.id, account_id, blocksize);
 		return;
 	}
 	count = packet_len/blocksize;
@@ -17340,14 +17402,15 @@ void clif_parse_SearchStoreInfo(int fd, struct map_session_data* sd) {
 	const uint8* itemlist;
 	const uint8* cardlist;
 	unsigned char type;
-	unsigned int min_price, max_price, packet_len, count, item_count, card_count;
+	unsigned int min_price, max_price;
+	int packet_len, count, item_count, card_count;
 	struct s_packet_db* info = &packet_db[RFIFOW(fd,0)];
 
 	packet_len = RFIFOW(fd,info->pos[0]);
 
 	if( packet_len < 15 )
 	{// minimum packet length
-		ShowError("clif_parse_SearchStoreInfo: Malformed packet (expected length=%u, length=%u, account_id=%d).\n", 15U, packet_len, sd->bl.id);
+		ShowError("clif_parse_SearchStoreInfo: Malformed packet (expected length=%u, length=%d, account_id=%d).\n", 15U, packet_len, sd->bl.id);
 		return;
 	}
 
@@ -17357,24 +17420,28 @@ void clif_parse_SearchStoreInfo(int fd, struct map_session_data* sd) {
 	item_count = RFIFOB(fd,info->pos[4]);
 	card_count = RFIFOB(fd,info->pos[5]);
 	itemlist   = RFIFOP(fd,info->pos[6]);
-	cardlist   = RFIFOP(fd,info->pos[6]+blocksize*item_count);
 
 	// check, if there is enough data for the claimed count of items
 	packet_len-= info->pos[6];
 
+	if (packet_len < 0)
+		return;
+
 	if( packet_len%blocksize )
 	{
-		ShowError("clif_parse_SearchStoreInfo: Unexpected item list size %u (account_id=%d, block size=%u)\n", packet_len, sd->bl.id, blocksize);
+		ShowError("clif_parse_SearchStoreInfo: Unexpected item list size %d (account_id=%d, block size=%u)\n", packet_len, sd->bl.id, blocksize);
 		return;
 	}
 	count = packet_len/blocksize;
 
 	if( count < item_count+card_count )
 	{
-		ShowError("clif_parse_SearchStoreInfo: Malformed packet (expected count=%u, count=%u, account_id=%d).\n", item_count+card_count, count, sd->bl.id);
+		ShowError("clif_parse_SearchStoreInfo: Malformed packet (expected count=%d, count=%d, account_id=%d).\n", item_count+card_count, count, sd->bl.id);
 		return;
 	}
 
+	cardlist   = RFIFOP(fd, info->pos[6] + blocksize * item_count);
+
 	searchstore->query(sd, type, min_price, max_price, (const unsigned short*)itemlist, item_count, (const unsigned short*)cardlist, card_count);
 }
 
@@ -17994,16 +18061,30 @@ void clif_parse_CashShopSchedule(int fd, struct map_session_data *sd)
 #endif
 }
 
+/// R 0848 <len>.W <limit>.W <kafra pay>.L (<item id>.L <amount>.L <tab>.W)*
 void clif_parse_CashShopBuy(int fd, struct map_session_data *sd) __attribute__((nonnull (2)));
 void clif_parse_CashShopBuy(int fd, struct map_session_data *sd) {
-	unsigned short limit = RFIFOW(fd, 4), i, j;
-	unsigned int kafra_pay = RFIFOL(fd, 6);// [Ryuuzaki] - These are free cash points (strangely #CASH = main cash currently for us, confusing)
+	int len = RFIFOW(fd, 2);
+	unsigned short limit, i, j;
+	unsigned int kafra_pay;
+	int count;
 
 	if (map->list[sd->bl.m].flag.nocashshop) {
 		clif->messagecolor_self(fd, COLOR_RED, msg_fd(fd,1489)); //Cash Shop is disabled in this map
 		return;
 	}
 
+	if (len < 10)
+		return;
+
+	limit = RFIFOW(fd, 4);
+	kafra_pay = RFIFOL(fd, 6); // [Ryuuzaki] - These are free cash points (strangely #CASH = main cash currently for us, confusing)
+	count = (len - 10) / 10;
+	if (count != limit) {
+		ShowError("Wrong cash shop limit: %d\n", limit);
+		return;
+	}
+
 	for(i = 0; i < limit; i++) {
 		int qty = RFIFOL(fd, 14 + ( i * 10 ));
 		int id = RFIFOL(fd, 10 + ( i * 10 ));
author	Andrei Karas <akaras@inbox.ru>	2018-02-24 01:03:38 +0300
committer	Andrei Karas <akaras@inbox.ru>	2018-02-27 19:09:23 +0300
commit	eda3e91684c6364b55d740f0c78a669705b867a6 (patch)
tree	514c49a63599fec36706d59c1dc2abd5734bd615
parent	3280c97ff6cd7e8dd5d40b4af28d0eadfbd5f33d (diff)
download	hercules-eda3e91684c6364b55d740f0c78a669705b867a6.tar.gz hercules-eda3e91684c6364b55d740f0c78a669705b867a6.tar.bz2 hercules-eda3e91684c6364b55d740f0c78a669705b867a6.tar.xz hercules-eda3e91684c6364b55d740f0c78a669705b867a6.zip