reHLDS/rehlds
2
0
Fork 0
mirror of https://github.com/rehlds/rehlds.git synced 2024-12-27 23:25:45 +03:00
Code Issues Projects Releases Wiki Activity

SV_ParseMove, SV_ParseConsistencyResponse: check length

Browse Source
This commit is contained in:
s1lentq 2021-06-12 00:22:30 +07:00
parent 05c7601f1e
commit 801be3ee5b
3 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
rehlds/engine/common.cpp
View File

@ -1164,6 +1164,22 @@ void SZ_Clear(sizebuf_t *buf)
buf->cursize = 0;
}
qboolean SZ_HasSpaceToRead(const sizebuf_t *buf, int length)
{
if ((msg_readcount + length) > buf->maxsize)
return FALSE;
return TRUE;
}
qboolean SZ_HasSomethingToRead(const sizebuf_t *buf, int length)
{
if ((msg_readcount + length) > buf->cursize)
return FALSE;
return TRUE;
}
void *EXT_FUNC SZ_GetSpace(sizebuf_t *buf, int length)
{
void *data;

2
rehlds/engine/common.h
View File

@ -159,6 +159,8 @@ void MSG_ReadUsercmd(usercmd_t *to, usercmd_t *from);
void SZ_Alloc(const char *name, sizebuf_t *buf, int startsize);
void SZ_Clear(sizebuf_t *buf);
qboolean SZ_HasSpaceToRead(const sizebuf_t *buf, int length);
qboolean SZ_HasSomethingToRead(const sizebuf_t *buf, int length);
void *SZ_GetSpace(sizebuf_t *buf, int length);
void SZ_Write(sizebuf_t *buf, const void *data, int length);
void SZ_Print(sizebuf_t *buf, const char *data);

18
rehlds/engine/sv_user.cpp
View File

@ -93,6 +93,15 @@ void SV_ParseConsistencyResponse(client_t *pSenderClient)
int c = 0;
Q_memset(nullbuffer, 0, sizeof(nullbuffer));
int value = MSG_ReadShort();
if (value <= 0 || !SZ_HasSomethingToRead(&net_message, value))
{
msg_badread = TRUE;
Con_DPrintf("%s: %s:%s invalid length: %d\n", __func__, host_client->name, NET_AdrToString(host_client->netchan.remote_address), value);
SV_DropClient(host_client, FALSE, "Invalid length");
return;
}
COM_UnMunge(&net_message.data[msg_readcount], value, g_psvs.spawncount);
MSG_StartBitReading(&net_message);
@ -1540,6 +1549,15 @@ void SV_ParseMove(client_t *pSenderClient)
placeholder = msg_readcount + 1;
mlen = MSG_ReadByte();
if (mlen <= 0 || !SZ_HasSpaceToRead(&net_message, mlen + 2))
{
msg_badread = TRUE;
Con_DPrintf("%s: %s:%s invalid length: %d\n", __func__, host_client->name, NET_AdrToString(host_client->netchan.remote_address), mlen);
SV_DropClient(host_client, FALSE, "Invalid length");
return;
}
cbchecksum = MSG_ReadByte();
COM_UnMunge(&net_message.data[placeholder + 1], mlen, host_client->netchan.incoming_sequence);