summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Changelog-Trunk.txt1
-rw-r--r--src/map/clif.c14
2 files changed, 10 insertions, 5 deletions
diff --git a/Changelog-Trunk.txt b/Changelog-Trunk.txt
index e380d8ba6..ed7ab532b 100644
--- a/Changelog-Trunk.txt
+++ b/Changelog-Trunk.txt
@@ -4,6 +4,7 @@ AS OF SVN REV. 5091, WE ARE NOW USING TRUNK. ALL UNTESTED BUGFIXES/FEATURES GO
IF YOU HAVE A WORKING AND TESTED BUGFIX PUT IT INTO STABLE AS WELL AS TRUNK.
2006/05/19
+ * Exploit prevention in clif_parse_NpcStringInput [Lance]
* grfio_final moved back if any of GRF overriding is enabled so servers
with such configuration will not have different values after reloading. [Lance]
* jA1983 script.c buildin_menu fix. Thanks to End_of_exam. [Lance]
diff --git a/src/map/clif.c b/src/map/clif.c
index 1a52a33d1..e98d8e363 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -9800,14 +9800,18 @@ void clif_parse_NpcAmountInput(int fd,struct map_session_data *sd)
*/
void clif_parse_NpcStringInput(int fd,struct map_session_data *sd)
{
+ unsigned short message_len = RFIFOW(fd,2)-7;
RFIFOHEAD(fd);
- if(RFIFOW(fd,2)-7 >= sizeof(sd->npc_str)){
+ if(message_len >= sizeof(sd->npc_str)){
ShowWarning("clif: input string too long !\n");
- memcpy(sd->npc_str,RFIFOP(fd,8),sizeof(sd->npc_str));
- sd->npc_str[sizeof(sd->npc_str)-1]=0;
- } else
- strcpy(sd->npc_str,(char*)RFIFOP(fd,8));
+ message_len = sizeof(sd->npc_str);
+ }
+
+ // Exploit prevention if crafted packets (without null) is being sent. [Lance]
+ memcpy(sd->npc_str,RFIFOP(fd,8),message_len);
+ sd->npc_str[message_len-1]=0;
+
npc_scriptcont(sd,RFIFOL(fd,4));
}