Permalink
Browse files

added some checks to snap handling

1 parent 3e1d022 commit ff254722a2683867fcb3e67569ffd36226c4bc62 @oy oy committed Nov 4, 2016
Showing with 3 additions and 2 deletions.
  1. +1 −1 src/engine/client/client.cpp
  2. +2 −1 src/engine/shared/snapshot.h
@@ -1239,7 +1239,7 @@ void CClient::ProcessServerPacket(CNetChunk *pPacket)
pData = (const char *)Unpacker.GetRaw(PartSize);
- if(Unpacker.Error())
+ if(Unpacker.Error() || NumParts < 1 || NumParts > CSnapshot::MAX_PARTS || Part < 0 | Part >= NumParts || PartSize < 0 || PartSize > MAX_SNAPSHOT_PACKSIZE)
@akien-mga
akien-mga Nov 19, 2016

Is this meant to be a bitwise OR in Part < 0 | Part >= NumParts, or is that a typo?
See http://openwall.com/lists/oss-security/2016/11/17/8

@heinrich5991
heinrich5991 Nov 19, 2016

It's a typo. We noticed it because some compiler started throwing warnings, but since | achieves the same effect as || we decided not to fix it for the release.

@akien-mga
akien-mga Nov 19, 2016

Might still be worth putting a fix in the git branch for a future release :)

@heinrich5991
heinrich5991 Nov 19, 2016

Someone will eventually do it because the warning is annoying.

return;
if(GameTick >= m_CurrentRecvTick)
@@ -31,7 +31,8 @@ class CSnapshot
public:
enum
{
- MAX_SIZE=64*1024
+ MAX_PARTS = 64,
+ MAX_SIZE = MAX_PARTS*1024
};
void Clear() { m_DataSize = 0; m_NumItems = 0; }

0 comments on commit ff25472

Please sign in to comment.