From d931d8e3350ebfde68bd4120e05b9b1ca940ae76 Mon Sep 17 00:00:00 2001 From: Dennis Friis Date: Tue, 23 Jun 2009 17:04:32 +0200 Subject: Fail storage parse if storage is dirty and unsaved. Derived from ea stable. --- src/map/intif.c | 38 +++++++++++++++++++++++++++++++------- 1 file changed, 31 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/map/intif.c b/src/map/intif.c index ca9d3c3..7f3eafc 100644 --- a/src/map/intif.c +++ b/src/map/intif.c @@ -579,21 +579,33 @@ int intif_parse_LoadStorage(int fd) { struct storage *stor; struct map_session_data *sd; - stor = account2storage( RFIFOL(fd,4)); - if (RFIFOW(fd,2)-8 != sizeof(struct storage)) { - if (battle_config.error_log) - printf("intif_parse_LoadStorage: data size error %d %d\n", RFIFOW(fd,2)-8, sizeof(struct storage)); - return 1; - } sd=map_id2sd( RFIFOL(fd,4) ); if(sd==NULL){ if(battle_config.error_log) printf("intif_parse_LoadStorage: user not found %d\n",RFIFOL(fd,4)); return 1; } + stor = account2storage( RFIFOL(fd,4)); + if (stor->storage_status == 1) { // Already open.. lets ignore this update + if (battle_config.error_log) + printf("intif_parse_LoadStorage: storage received for a client already open (User %d:%d)\n", sd->status.account_id, sd->status.char_id); + return 1; + } + if (stor->dirty) { // Already have storage, and it has been modified and not saved yet! Exploit! [Skotlex] + if (battle_config.error_log) + printf("intif_parse_LoadStorage: received storage for an already modified non-saved storage! (User %d:%d)\n", sd->status.account_id, sd->status.char_id); + return 1; + } + + if (RFIFOW(fd,2)-8 != sizeof(struct storage)) { + if (battle_config.error_log) + printf("intif_parse_LoadStorage: data size error %d %d\n", RFIFOW(fd,2)-8, sizeof(struct storage)); + return 1; + } if(battle_config.save_log) printf("intif_openstorage: %d\n",RFIFOL(fd,4) ); memcpy(stor,RFIFOP(fd,8),sizeof(struct storage)); + stor->dirty=0; stor->storage_status=1; sd->state.storage_flag = 1; clif_storageitemlist(sd,stor); @@ -616,7 +628,9 @@ int intif_parse_LoadGuildStorage(int fd) { struct guild_storage *gstor; struct map_session_data *sd; - int guild_id = RFIFOL(fd,8); + int guild_id; + + guild_id = RFIFOL(fd,8); if(guild_id > 0) { gstor=guild2storage(guild_id); if(!gstor) { @@ -636,6 +650,16 @@ int intif_parse_LoadGuildStorage(int fd) printf("intif_parse_LoadGuildStorage: user not found %d\n",RFIFOL(fd,4)); return 1; } + if (gstor->storage_status == 1) { // Already open.. lets ignore this update + if (battle_config.error_log) + printf("intif_parse_LoadGuildStorage: storage received for a client already open (User %d:%d)\n", sd->status.account_id, sd->status.char_id); + return 1; + } + if (gstor->dirty) { // Already have storage, and it has been modified and not saved yet! Exploit! [Skotlex] + if (battle_config.error_log) + printf("intif_parse_LoadGuildStorage: received storage for an already modified non-saved storage! (User %d:%d)\n", sd->status.account_id, sd->status.char_id); + return 1; + } if(battle_config.save_log) printf("intif_open_guild_storage: %d\n",RFIFOL(fd,4) ); memcpy(gstor,RFIFOP(fd,12),sizeof(struct guild_storage)); -- cgit v1.2.3-70-g09d2