Fix remotely exploitable parse download overflow reported by Luigi Auriemma.

See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html for the advisory.
2024-11-23 04:12:39 +00:00 · 2006-06-04 13:45:53 +00:00 · 2006-06-04 13:45:53 +00:00 · 99abd01c2f
commit 99abd01c2f
parent 84296bfc2c
1 changed files with 20 additions and 8 deletions
--- a/code/client/cl_parse.c
+++ b/code/client/cl_parse.c
@ -255,6 +255,13 @@ void CL_ParseSnapshot( msg_t *msg ) {

 	// read areamask
 	len = MSG_ReadByte( msg );
+	
+	if(len > sizeof(newSnap.areamask))
+	{
+		Com_Error (ERR_DROP,"CL_ParseSnapshot: Invalid size %d for areamask.", len);
+		return;
+	}
+	
 	MSG_ReadData( msg, &newSnap.areamask, len);

 	// read playerinfo
@ -475,6 +482,12 @@ void CL_ParseDownload ( msg_t *msg ) {
 	unsigned char data[MAX_MSGLEN];
 	int block;

+	if (!*clc.downloadTempName) {
+		Com_Printf("Server sending download, but no download was requested\n");
+		CL_AddReliableCommand( "stopdl" );
+		return;
+	}
+
 	// read the data
 	block = MSG_ReadShort ( msg );

@ -493,8 +506,13 @@ void CL_ParseDownload ( msg_t *msg ) {
 	}

 	size = MSG_ReadShort ( msg );
-	if (size > 0)
-		MSG_ReadData( msg, data, size );
+	if (size < 0 || size > sizeof(data))
+	{
+		Com_Error(ERR_DROP, "CL_ParseDownload: Invalid size %d for download chunk.", size);
+		return;
+	}
+	
+	MSG_ReadData(msg, data, size);

 	if (clc.downloadBlock != block) {
 		Com_DPrintf( "CL_ParseDownload: Expected block %d, got %d\n", clc.downloadBlock, block);
@ -504,12 +522,6 @@ void CL_ParseDownload ( msg_t *msg ) {
 	// open the file if not opened yet
 	if (!clc.download)
 	{
-		if (!*clc.downloadTempName) {
-			Com_Printf("Server sending download, but no download was requested\n");
-			CL_AddReliableCommand( "stopdl" );
-			return;
-		}
-
 		clc.download = FS_SV_FOpenFileWrite( clc.downloadTempName );

 		if (!clc.download) {