Fix remotely exploitable parse download overflow reported by Luigi Auriemma.

See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html
for the advisory.
This commit is contained in:
Thilo Schulz 2006-06-04 13:45:53 +00:00
parent 84296bfc2c
commit 99abd01c2f

View file

@ -255,6 +255,13 @@ void CL_ParseSnapshot( msg_t *msg ) {
// read areamask // read areamask
len = MSG_ReadByte( msg ); len = MSG_ReadByte( msg );
if(len > sizeof(newSnap.areamask))
{
Com_Error (ERR_DROP,"CL_ParseSnapshot: Invalid size %d for areamask.", len);
return;
}
MSG_ReadData( msg, &newSnap.areamask, len); MSG_ReadData( msg, &newSnap.areamask, len);
// read playerinfo // read playerinfo
@ -475,6 +482,12 @@ void CL_ParseDownload ( msg_t *msg ) {
unsigned char data[MAX_MSGLEN]; unsigned char data[MAX_MSGLEN];
int block; int block;
if (!*clc.downloadTempName) {
Com_Printf("Server sending download, but no download was requested\n");
CL_AddReliableCommand( "stopdl" );
return;
}
// read the data // read the data
block = MSG_ReadShort ( msg ); block = MSG_ReadShort ( msg );
@ -493,8 +506,13 @@ void CL_ParseDownload ( msg_t *msg ) {
} }
size = MSG_ReadShort ( msg ); size = MSG_ReadShort ( msg );
if (size > 0) if (size < 0 || size > sizeof(data))
MSG_ReadData( msg, data, size ); {
Com_Error(ERR_DROP, "CL_ParseDownload: Invalid size %d for download chunk.", size);
return;
}
MSG_ReadData(msg, data, size);
if (clc.downloadBlock != block) { if (clc.downloadBlock != block) {
Com_DPrintf( "CL_ParseDownload: Expected block %d, got %d\n", clc.downloadBlock, block); Com_DPrintf( "CL_ParseDownload: Expected block %d, got %d\n", clc.downloadBlock, block);
@ -504,12 +522,6 @@ void CL_ParseDownload ( msg_t *msg ) {
// open the file if not opened yet // open the file if not opened yet
if (!clc.download) if (!clc.download)
{ {
if (!*clc.downloadTempName) {
Com_Printf("Server sending download, but no download was requested\n");
CL_AddReliableCommand( "stopdl" );
return;
}
clc.download = FS_SV_FOpenFileWrite( clc.downloadTempName ); clc.download = FS_SV_FOpenFileWrite( clc.downloadTempName );
if (!clc.download) { if (!clc.download) {