ioquake
/
ioq3
mirror of https://github.com/ioquake/ioq3.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix remotely exploitable parse download overflow reported by Luigi Auriemma. 

See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html
for the advisory.
This commit is contained in:
Thilo Schulz 2006-06-04 13:45:53 +00:00
parent 84296bfc2c
commit 99abd01c2f
1 changed files with 20 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
code/client/cl_parse.c
View File

@ -255,6 +255,13 @@ void CL_ParseSnapshot( msg_t *msg ) {
// read areamask
len = MSG_ReadByte( msg );
if(len > sizeof(newSnap.areamask))
{
Com_Error (ERR_DROP,"CL_ParseSnapshot: Invalid size %d for areamask.", len);
return;
}
MSG_ReadData( msg, &newSnap.areamask, len);
// read playerinfo
@ -475,6 +482,12 @@ void CL_ParseDownload ( msg_t *msg ) {
unsigned char data[MAX_MSGLEN];
int block;
if (!*clc.downloadTempName) {
Com_Printf("Server sending download, but no download was requested\n");
CL_AddReliableCommand( "stopdl" );
return;
}
// read the data
block = MSG_ReadShort ( msg );
@ -493,8 +506,13 @@ void CL_ParseDownload ( msg_t *msg ) {
}
size = MSG_ReadShort ( msg );
if (size > 0)
MSG_ReadData( msg, data, size );
if (size < 0 || size > sizeof(data))
{
Com_Error(ERR_DROP, "CL_ParseDownload: Invalid size %d for download chunk.", size);
return;
}
MSG_ReadData(msg, data, size);
if (clc.downloadBlock != block) {
Com_DPrintf( "CL_ParseDownload: Expected block %d, got %d\n", clc.downloadBlock, block);
@ -504,12 +522,6 @@ void CL_ParseDownload ( msg_t *msg ) {
// open the file if not opened yet
if (!clc.download)
{
if (!*clc.downloadTempName) {
Com_Printf("Server sending download, but no download was requested\n");
CL_AddReliableCommand( "stopdl" );
return;
}
clc.download = FS_SV_FOpenFileWrite( clc.downloadTempName );
if (!clc.download) {