From 8e750ae86849ddf3e4ce866c0b440135e9b9b43f Mon Sep 17 00:00:00 2001
From: ai4rei <ai4rei@54d463be-8e91-2dee-dedb-b68131a5f0ec>
Date: Thu, 17 Nov 2011 23:41:13 +0000
Subject: * Added a check to WFIFOSET to detect zero-length 'sets' of packets,
 that could cause memory corruption (through code after
 WFIFOHEAD(fd,packet_len(cmd)) where the length is 0).

git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@14995 54d463be-8e91-2dee-dedb-b68131a5f0ec
---
 src/common/socket.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/common')

diff --git a/src/common/socket.c b/src/common/socket.c
index f1e1afdc8..4f7afd8fd 100644
--- a/src/common/socket.c
+++ b/src/common/socket.c
@@ -647,6 +647,14 @@ int WFIFOSET(int fd, size_t len)
 		ShowFatalError("WFIFOSET: Packet 0x%x is too big. (len=%u, max=%u)\n", (*(uint16*)(s->wdata + s->wdata_size)), (unsigned int)len, 0xFFFF);
 		exit(EXIT_FAILURE);
 	}
+	else if( len == 0 )
+	{
+		// abuses the fact, that the code that did WFIFOHEAD(fd,0), already wrote
+		// the packet type into memory, even if it could have overwritten vital data
+		// this can happen when a new packet was added on map-server, but packet len table was not updated
+		ShowWarning("WFIFOSET: Attempted to send zero-length packet, most likely 0x%04x (please report this).\n", WFIFOW(fd,0));
+		return 0;
+	}
 
 	if( !s->flag.server && len > socket_max_client_packet )
 	{// see declaration of socket_max_client_packet for details
-- 
cgit v1.2.3-60-g2f50