summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorai4rei <ai4rei@54d463be-8e91-2dee-dedb-b68131a5f0ec>2011-11-17 23:41:13 +0000
committerai4rei <ai4rei@54d463be-8e91-2dee-dedb-b68131a5f0ec>2011-11-17 23:41:13 +0000
commit8e750ae86849ddf3e4ce866c0b440135e9b9b43f (patch)
tree94957ac8997064ab76cfc56ce106b7cd9911c2d7
parent033b872492a71c384b8f7cc722fc9e5349fa1cdf (diff)
downloadhercules-8e750ae86849ddf3e4ce866c0b440135e9b9b43f.tar.gz
hercules-8e750ae86849ddf3e4ce866c0b440135e9b9b43f.tar.bz2
hercules-8e750ae86849ddf3e4ce866c0b440135e9b9b43f.tar.xz
hercules-8e750ae86849ddf3e4ce866c0b440135e9b9b43f.zip
* Added a check to WFIFOSET to detect zero-length 'sets' of packets, that could cause memory corruption (through code after WFIFOHEAD(fd,packet_len(cmd)) where the length is 0).
git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@14995 54d463be-8e91-2dee-dedb-b68131a5f0ec
-rw-r--r--Changelog-Trunk.txt2
-rw-r--r--src/common/socket.c8
2 files changed, 10 insertions, 0 deletions
diff --git a/Changelog-Trunk.txt b/Changelog-Trunk.txt
index fda98a3a3..737b65acd 100644
--- a/Changelog-Trunk.txt
+++ b/Changelog-Trunk.txt
@@ -1,5 +1,7 @@
Date Added
+2011/11/17
+ * Added a check to WFIFOSET to detect zero-length 'sets' of packets, that could cause memory corruption (through code after WFIFOHEAD(fd,packet_len(cmd)) where the length is 0). [Ai4rei]
2011/11/16
* Fixed natural expiration of GM mute printing the unmute message twice (since r12169). [Ai4rei]
2011/11/12
diff --git a/src/common/socket.c b/src/common/socket.c
index f1e1afdc8..4f7afd8fd 100644
--- a/src/common/socket.c
+++ b/src/common/socket.c
@@ -647,6 +647,14 @@ int WFIFOSET(int fd, size_t len)
ShowFatalError("WFIFOSET: Packet 0x%x is too big. (len=%u, max=%u)\n", (*(uint16*)(s->wdata + s->wdata_size)), (unsigned int)len, 0xFFFF);
exit(EXIT_FAILURE);
}
+ else if( len == 0 )
+ {
+ // abuses the fact, that the code that did WFIFOHEAD(fd,0), already wrote
+ // the packet type into memory, even if it could have overwritten vital data
+ // this can happen when a new packet was added on map-server, but packet len table was not updated
+ ShowWarning("WFIFOSET: Attempted to send zero-length packet, most likely 0x%04x (please report this).\n", WFIFOW(fd,0));
+ return 0;
+ }
if( !s->flag.server && len > socket_max_client_packet )
{// see declaration of socket_max_client_packet for details