mirror of
https://github.com/DrBeef/ioq3quest.git
synced 2024-11-30 07:41:16 +00:00
Fix remotely exploitable parse download overflow reported by Luigi Auriemma.
See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html for the advisory.
This commit is contained in:
parent
84296bfc2c
commit
99abd01c2f
1 changed files with 20 additions and 8 deletions
|
@ -255,6 +255,13 @@ void CL_ParseSnapshot( msg_t *msg ) {
|
||||||
|
|
||||||
// read areamask
|
// read areamask
|
||||||
len = MSG_ReadByte( msg );
|
len = MSG_ReadByte( msg );
|
||||||
|
|
||||||
|
if(len > sizeof(newSnap.areamask))
|
||||||
|
{
|
||||||
|
Com_Error (ERR_DROP,"CL_ParseSnapshot: Invalid size %d for areamask.", len);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
MSG_ReadData( msg, &newSnap.areamask, len);
|
MSG_ReadData( msg, &newSnap.areamask, len);
|
||||||
|
|
||||||
// read playerinfo
|
// read playerinfo
|
||||||
|
@ -475,6 +482,12 @@ void CL_ParseDownload ( msg_t *msg ) {
|
||||||
unsigned char data[MAX_MSGLEN];
|
unsigned char data[MAX_MSGLEN];
|
||||||
int block;
|
int block;
|
||||||
|
|
||||||
|
if (!*clc.downloadTempName) {
|
||||||
|
Com_Printf("Server sending download, but no download was requested\n");
|
||||||
|
CL_AddReliableCommand( "stopdl" );
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// read the data
|
// read the data
|
||||||
block = MSG_ReadShort ( msg );
|
block = MSG_ReadShort ( msg );
|
||||||
|
|
||||||
|
@ -493,8 +506,13 @@ void CL_ParseDownload ( msg_t *msg ) {
|
||||||
}
|
}
|
||||||
|
|
||||||
size = MSG_ReadShort ( msg );
|
size = MSG_ReadShort ( msg );
|
||||||
if (size > 0)
|
if (size < 0 || size > sizeof(data))
|
||||||
MSG_ReadData( msg, data, size );
|
{
|
||||||
|
Com_Error(ERR_DROP, "CL_ParseDownload: Invalid size %d for download chunk.", size);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
MSG_ReadData(msg, data, size);
|
||||||
|
|
||||||
if (clc.downloadBlock != block) {
|
if (clc.downloadBlock != block) {
|
||||||
Com_DPrintf( "CL_ParseDownload: Expected block %d, got %d\n", clc.downloadBlock, block);
|
Com_DPrintf( "CL_ParseDownload: Expected block %d, got %d\n", clc.downloadBlock, block);
|
||||||
|
@ -504,12 +522,6 @@ void CL_ParseDownload ( msg_t *msg ) {
|
||||||
// open the file if not opened yet
|
// open the file if not opened yet
|
||||||
if (!clc.download)
|
if (!clc.download)
|
||||||
{
|
{
|
||||||
if (!*clc.downloadTempName) {
|
|
||||||
Com_Printf("Server sending download, but no download was requested\n");
|
|
||||||
CL_AddReliableCommand( "stopdl" );
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
clc.download = FS_SV_FOpenFileWrite( clc.downloadTempName );
|
clc.download = FS_SV_FOpenFileWrite( clc.downloadTempName );
|
||||||
|
|
||||||
if (!clc.download) {
|
if (!clc.download) {
|
||||||
|
|
Loading…
Reference in a new issue