From 99abd01c2f5e1a181acb8623edceff10cd918751 Mon Sep 17 00:00:00 2001 From: Thilo Schulz Date: Sun, 4 Jun 2006 13:45:53 +0000 Subject: [PATCH] Fix remotely exploitable parse download overflow reported by Luigi Auriemma. See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html for the advisory. --- code/client/cl_parse.c | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/code/client/cl_parse.c b/code/client/cl_parse.c index e9eddc77..81bdf5cc 100644 --- a/code/client/cl_parse.c +++ b/code/client/cl_parse.c @@ -255,6 +255,13 @@ void CL_ParseSnapshot( msg_t *msg ) { // read areamask len = MSG_ReadByte( msg ); + + if(len > sizeof(newSnap.areamask)) + { + Com_Error (ERR_DROP,"CL_ParseSnapshot: Invalid size %d for areamask.", len); + return; + } + MSG_ReadData( msg, &newSnap.areamask, len); // read playerinfo @@ -475,6 +482,12 @@ void CL_ParseDownload ( msg_t *msg ) { unsigned char data[MAX_MSGLEN]; int block; + if (!*clc.downloadTempName) { + Com_Printf("Server sending download, but no download was requested\n"); + CL_AddReliableCommand( "stopdl" ); + return; + } + // read the data block = MSG_ReadShort ( msg ); @@ -493,8 +506,13 @@ void CL_ParseDownload ( msg_t *msg ) { } size = MSG_ReadShort ( msg ); - if (size > 0) - MSG_ReadData( msg, data, size ); + if (size < 0 || size > sizeof(data)) + { + Com_Error(ERR_DROP, "CL_ParseDownload: Invalid size %d for download chunk.", size); + return; + } + + MSG_ReadData(msg, data, size); if (clc.downloadBlock != block) { Com_DPrintf( "CL_ParseDownload: Expected block %d, got %d\n", clc.downloadBlock, block); @@ -504,12 +522,6 @@ void CL_ParseDownload ( msg_t *msg ) { // open the file if not opened yet if (!clc.download) { - if (!*clc.downloadTempName) { - Com_Printf("Server sending download, but no download was requested\n"); - CL_AddReliableCommand( "stopdl" ); - return; - } - clc.download = FS_SV_FOpenFileWrite( clc.downloadTempName ); if (!clc.download) {