Mirroristas/rathena
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added length check to functions clif_parse_CreateChatRoom and clif_parse_ChatRoomStatusChange (bugreport:2999).

Browse Source 
This prevents a signed/unsigned integer overflow when calling the safestrncpy function.
Also added a note regarding a potential out-of-bounds access issue in these functions.

git-svn-id: https://svn.code.sf.net/p/rathena/svn/trunk@13690 54d463be-8e91-2dee-dedb-b68131a5f0ec
This commit is contained in:
ultramage 2009-04-23 15:09:17 +00:00
parent cd82016586
commit 22b2671e0f
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/map/clif.c
View File

@ -9095,8 +9095,8 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd)
bool pub = (RFIFOB(fd,6) != 0); bool pub = (RFIFOB(fd,6) != 0);
const char* password = (char*)RFIFOP(fd,7); //not zero-terminated const char* password = (char*)RFIFOP(fd,7); //not zero-terminated
const char* title = (char*)RFIFOP(fd,15); // not zero-terminated const char* title = (char*)RFIFOP(fd,15); // not zero-terminated
char s_title[CHATROOM_TITLE_SIZE];
char s_password[CHATROOM_PASS_SIZE]; char s_password[CHATROOM_PASS_SIZE];
char s_title[CHATROOM_TITLE_SIZE];
if (sd->sc.data[SC_NOCHAT] && sd->sc.data[SC_NOCHAT]->val1&MANNER_NOROOM) if (sd->sc.data[SC_NOCHAT] && sd->sc.data[SC_NOCHAT]->val1&MANNER_NOROOM)
return; return;
@ -9105,8 +9105,11 @@ void clif_parse_CreateChatRoom(int fd, struct map_session_data* sd)
return; return;
} }
safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); if( len <= 0 )
return; // invalid input
safestrncpy(s_password, password, CHATROOM_PASS_SIZE); safestrncpy(s_password, password, CHATROOM_PASS_SIZE);
safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte
chat_createpcchat(sd, s_title, s_password, limit, pub); chat_createpcchat(sd, s_title, s_password, limit, pub);
} }
@ -9134,11 +9137,14 @@ void clif_parse_ChatRoomStatusChange(int fd, struct map_session_data* sd)
bool pub = (RFIFOB(fd,6) != 0); bool pub = (RFIFOB(fd,6) != 0);
const char* password = (char*)RFIFOP(fd,7); // not zero-terminated const char* password = (char*)RFIFOP(fd,7); // not zero-terminated
const char* title = (char*)RFIFOP(fd,15); // not zero-terminated const char* title = (char*)RFIFOP(fd,15); // not zero-terminated
char s_title[CHATROOM_TITLE_SIZE];
char s_password[CHATROOM_PASS_SIZE]; char s_password[CHATROOM_PASS_SIZE];
safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); char s_title[CHATROOM_TITLE_SIZE];
if( len <= 0 )
return; // invalid input
safestrncpy(s_password, password, CHATROOM_PASS_SIZE); safestrncpy(s_password, password, CHATROOM_PASS_SIZE);
safestrncpy(s_title, title, min(len+1,CHATROOM_TITLE_SIZE)); //NOTE: assumes that safestrncpy will not access the len+1'th byte
chat_changechatstatus(sd, s_title, s_password, limit, pub); chat_changechatstatus(sd, s_title, s_password, limit, pub);
} }

1
src/map/mob.c
View File

@ -47,7 +47,6 @@
// Move probability for mobs away from players (rate of 1000 minute) // Move probability for mobs away from players (rate of 1000 minute)
// in Aegis, this is 100% for mobs that have been activated by players and none otherwise. // in Aegis, this is 100% for mobs that have been activated by players and none otherwise.
#define MOB_LAZYMOVEPERC(md) (md->state.spotted?1000:0) #define MOB_LAZYMOVEPERC(md) (md->state.spotted?1000:0)
#define MOB_LAZYWARPPERC 20 // Warp probability in the negligent mode MOB (rate of 1000 minute)
#define MOB_MAX_DELAY (24*3600*1000) #define MOB_MAX_DELAY (24*3600*1000)
#define MAX_MINCHASE 30 //Max minimum chase value to use for mobs. #define MAX_MINCHASE 30 //Max minimum chase value to use for mobs.
#define RUDE_ATTACKED_COUNT 2 //After how many rude-attacks should the skill be used? #define RUDE_ATTACKED_COUNT 2 //After how many rude-attacks should the skill be used?