From 18eba116576ead442acff4cc35d1d89604be270b Mon Sep 17 00:00:00 2001 From: helixhorned Date: Sun, 3 Jun 2012 19:20:36 +0000 Subject: [PATCH] net: correct packet buffer overflow checks. The GAMESTATE one has to be carried out twice, first on the data from xd3_encode_memory, and then with the compressed data (because it might have increased in size, though this is very unlikely). The MOVE check is similar, though there, failure of the first check implies corrupt memory (which is why we're Bassert'ing that condition). Currently, the overflow on GAMESTATE sending happens when switching to a different map. git-svn-id: https://svn.eduke32.com/eduke32@2735 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/source/net.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/polymer/eduke32/source/net.c b/polymer/eduke32/source/net.c index 81bc47b13..08954b9f4 100644 --- a/polymer/eduke32/source/net.c +++ b/polymer/eduke32/source/net.c @@ -1750,7 +1750,6 @@ void Net_StreamLevel(void) streamoutput = (netmapstate_t *)Bcalloc(1, sizeof(netmapstate_t)); for (pi=0; pi<(signed)g_netServer->peerCount; pi++) - { ENetPeer *const currentPeer = &g_netServer->peers[pi]; const intptr_t playeridx = (intptr_t)currentPeer->data; @@ -1772,15 +1771,23 @@ void Net_StreamLevel(void) g_netMapRevision++; { - char buf[PACKBUF_SIZE+512]; + char buf[PACKBUF_SIZE+400]; - if (siz >= PACKBUF_SIZE) + if (osize >= PACKBUF_SIZE) { - initprintf("Global packet buffer overflow! Size of packet: %i\n", siz); + // XXX: this currently happens when e.g. switching levels + initprintf("Packet buffer overflow! Size of packet after diff before compress: %u\n", osize); return; } siz = qlz_compress((char *)streamoutput, buf, osize, state_compress); + + if (siz >= PACKBUF_SIZE-1) + { + initprintf("Global packet buffer overflow! Size of packet after diff and compress: %d\n", siz); + return; + } + Bmemcpy(packbuf+1, buf, siz); siz++; }