summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLance <Lance@54d463be-8e91-2dee-dedb-b68131a5f0ec>2006-11-17 17:27:19 +0000
committerLance <Lance@54d463be-8e91-2dee-dedb-b68131a5f0ec>2006-11-17 17:27:19 +0000
commitdb5dbe795d5485977aa7522f2000f0fe2cda0a29 (patch)
tree0f2452b073a96e9225f23899ca9b0d394488aea5
parentdce529d5b1443eb0215589c61dcd834a6e2f802d (diff)
downloadhercules-db5dbe795d5485977aa7522f2000f0fe2cda0a29.tar.gz
hercules-db5dbe795d5485977aa7522f2000f0fe2cda0a29.tar.bz2
hercules-db5dbe795d5485977aa7522f2000f0fe2cda0a29.tar.xz
hercules-db5dbe795d5485977aa7522f2000f0fe2cda0a29.zip
* Fixed potential hack by modifying packet of whispers.
modified Changelog-Trunk.txt modified src/map/clif.c git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@9249 54d463be-8e91-2dee-dedb-b68131a5f0ec
-rw-r--r--Changelog-Trunk.txt1
-rw-r--r--src/map/clif.c15
2 files changed, 14 insertions, 2 deletions
diff --git a/Changelog-Trunk.txt b/Changelog-Trunk.txt
index 432eece5f..ab0b9b5b3 100644
--- a/Changelog-Trunk.txt
+++ b/Changelog-Trunk.txt
@@ -4,6 +4,7 @@ AS OF SVN REV. 5091, WE ARE NOW USING TRUNK. ALL UNTESTED BUGFIXES/FEATURES GO
IF YOU HAVE A WORKING AND TESTED BUGFIX PUT IT INTO STABLE AS WELL AS TRUNK.
2006/11/17
+ * Fixed potential hack by modifying packet of whispers. [Lance]
* Fixed potential crash in IRC processing message with '%' using *printf. [Lance]
* Fixed memory leaking caused by homun_data not freed when removed. [Lance]
* Fixed client not validating the chat-kick-request packet, which can cause
diff --git a/src/map/clif.c b/src/map/clif.c
index 63c334492..9ef8c7b94 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -9055,12 +9055,23 @@ void clif_parse_Wis(int fd, struct map_session_data *sd) { // S 0096 <len>.w <ni
struct npc_data *npc;
char split_data[10][50];
char target[NAME_LENGTH+1];
- char output[256];
+ char output[256];
+ unsigned int speclen, scanlen;
RFIFOHEAD(fd);
//printf("clif_parse_Wis: message: '%s'.\n", RFIFOP(fd,28));
- gm_command = (char*)aMallocA((strlen((const char*)RFIFOP(fd,28)) + 28)*sizeof(char)); // 24+3+(RFIFOW(fd,2)-28)+1 or 24+3+(strlen(RFIFOP(fd,28))+1 (size can be wrong with hacker)
+ // Prevent hacked packets like missing null terminator or wrong len specification. [Lance]
+ speclen = (unsigned int)RFIFOW(fd,2);
+ scanlen = strlen((const char*)RFIFOP(fd,28)) + 28;
+
+ if(scanlen != speclen){
+ ShowWarning("Hack on Whisper: %s (AID: %d)!\n", sd->status.name, sd->bl.id);
+ clif_GM_kick(sd,sd,0);
+ return;
+ }
+
+ gm_command = (char*)aMallocA(speclen * sizeof(char)); // 24+3+(RFIFOW(fd,2)-28)+1 or 24+3+(strlen(RFIFOP(fd,28))+1 (size can be wrong with hacker)
sprintf(gm_command, "%s : %s", sd->status.name, RFIFOP(fd,28));
if ((is_charcommand(fd, sd, gm_command) != CharCommand_None) ||