From a7e38ac4436d545ad3dd1c9ed35ed5c1300af1c1 Mon Sep 17 00:00:00 2001
From: ultramage <ultramage@54d463be-8e91-2dee-dedb-b68131a5f0ec>
Date: Thu, 23 Apr 2009 15:09:17 +0000
Subject: Added length check to functions clif_parse_CreateChatRoom and
 clif_parse_ChatRoomStatusChange (bugreport:2999). This prevents a
 signed/unsigned integer overflow when calling the safestrncpy function. Also
 added a note regarding a potential out-of-bounds access issue in these
 functions.

git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@13690 54d463be-8e91-2dee-dedb-b68131a5f0ec
---
 src/map/clif.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

(limited to 'src/map/clif.c')

diff --git a/src/map/clif.c b/src/map/clif.c
index bc2392504..3baba439e 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -9095,8 +9095,8 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd)
 	bool pub = (RFIFOB(fd,6) != 0);
 	const char* password = (char*)RFIFOP(fd,7); //not zero-terminated
 	const char* title = (char*)RFIFOP(fd,15); // not zero-terminated
-	char s_title[CHATROOM_TITLE_SIZE];
 	char s_password[CHATROOM_PASS_SIZE];
+	char s_title[CHATROOM_TITLE_SIZE];
 
 	if (sd->sc.data[SC_NOCHAT] && sd->sc.data[SC_NOCHAT]->val1&MANNER_NOROOM)
 		return;
@@ -9105,8 +9105,11 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd)
 		return;
 	}
 
-	safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE));
+	if( len <= 0 )
+		return; // invalid input
+
 	safestrncpy(s_password, password, CHATROOM_PASS_SIZE);
+	safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte
 
 	chat_createpcchat(sd, s_title, s_password, limit, pub);
 }
@@ -9134,11 +9137,14 @@ void clif_parse_ChatRoomStatusChange(int fd, struct map_session_data* sd)
 	bool pub = (RFIFOB(fd,6) != 0);
 	const char* password = (char*)RFIFOP(fd,7); // not zero-terminated
 	const char* title = (char*)RFIFOP(fd,15); // not zero-terminated
-
-	char s_title[CHATROOM_TITLE_SIZE];
 	char s_password[CHATROOM_PASS_SIZE];
-	safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE));
+	char s_title[CHATROOM_TITLE_SIZE];
+
+	if( len <= 0 )
+		return; // invalid input
+
 	safestrncpy(s_password, password, CHATROOM_PASS_SIZE);
+	safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte
 
 	chat_changechatstatus(sd, s_title, s_password, limit, pub);
 }
-- 
cgit v1.2.3-70-g09d2