Fix remotely exploitable parse download overflow reported by Luigi Auriemma.

See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html
for the advisory.
This commit is contained in:
Thilo Schulz 2006-06-04 13:45:53 +00:00
parent 84296bfc2c
commit 99abd01c2f

View file

@ -255,6 +255,13 @@ void CL_ParseSnapshot( msg_t *msg ) {
// read areamask
len = MSG_ReadByte( msg );
if(len > sizeof(newSnap.areamask))
{
Com_Error (ERR_DROP,"CL_ParseSnapshot: Invalid size %d for areamask.", len);
return;
}
MSG_ReadData( msg, &newSnap.areamask, len);
// read playerinfo
@ -475,6 +482,12 @@ void CL_ParseDownload ( msg_t *msg ) {
unsigned char data[MAX_MSGLEN];
int block;
if (!*clc.downloadTempName) {
Com_Printf("Server sending download, but no download was requested\n");
CL_AddReliableCommand( "stopdl" );
return;
}
// read the data
block = MSG_ReadShort ( msg );
@ -493,7 +506,12 @@ void CL_ParseDownload ( msg_t *msg ) {
}
size = MSG_ReadShort ( msg );
if (size > 0)
if (size < 0 || size > sizeof(data))
{
Com_Error(ERR_DROP, "CL_ParseDownload: Invalid size %d for download chunk.", size);
return;
}
MSG_ReadData(msg, data, size);
if (clc.downloadBlock != block) {
@ -504,12 +522,6 @@ void CL_ParseDownload ( msg_t *msg ) {
// open the file if not opened yet
if (!clc.download)
{
if (!*clc.downloadTempName) {
Com_Printf("Server sending download, but no download was requested\n");
CL_AddReliableCommand( "stopdl" );
return;
}
clc.download = FS_SV_FOpenFileWrite( clc.downloadTempName );
if (!clc.download) {