From 801be3ee5bdd81ec28f65520905a4acab8f47251 Mon Sep 17 00:00:00 2001 From: s1lentq Date: Sat, 12 Jun 2021 00:22:30 +0700 Subject: [PATCH] SV_ParseMove, SV_ParseConsistencyResponse: check length --- rehlds/engine/common.cpp | 16 ++++++++++++++++ rehlds/engine/common.h | 2 ++ rehlds/engine/sv_user.cpp | 18 ++++++++++++++++++ 3 files changed, 36 insertions(+) diff --git a/rehlds/engine/common.cpp b/rehlds/engine/common.cpp index b9d1210..c9f07a6 100644 --- a/rehlds/engine/common.cpp +++ b/rehlds/engine/common.cpp @@ -1164,6 +1164,22 @@ void SZ_Clear(sizebuf_t *buf) buf->cursize = 0; } +qboolean SZ_HasSpaceToRead(const sizebuf_t *buf, int length) +{ + if ((msg_readcount + length) > buf->maxsize) + return FALSE; + + return TRUE; +} + +qboolean SZ_HasSomethingToRead(const sizebuf_t *buf, int length) +{ + if ((msg_readcount + length) > buf->cursize) + return FALSE; + + return TRUE; +} + void *EXT_FUNC SZ_GetSpace(sizebuf_t *buf, int length) { void *data; diff --git a/rehlds/engine/common.h b/rehlds/engine/common.h index 2d81b3f..22d07e9 100644 --- a/rehlds/engine/common.h +++ b/rehlds/engine/common.h @@ -159,6 +159,8 @@ void MSG_ReadUsercmd(usercmd_t *to, usercmd_t *from); void SZ_Alloc(const char *name, sizebuf_t *buf, int startsize); void SZ_Clear(sizebuf_t *buf); +qboolean SZ_HasSpaceToRead(const sizebuf_t *buf, int length); +qboolean SZ_HasSomethingToRead(const sizebuf_t *buf, int length); void *SZ_GetSpace(sizebuf_t *buf, int length); void SZ_Write(sizebuf_t *buf, const void *data, int length); void SZ_Print(sizebuf_t *buf, const char *data); diff --git a/rehlds/engine/sv_user.cpp b/rehlds/engine/sv_user.cpp index 168828b..306e1e8 100644 --- a/rehlds/engine/sv_user.cpp +++ b/rehlds/engine/sv_user.cpp @@ -93,6 +93,15 @@ void SV_ParseConsistencyResponse(client_t *pSenderClient) int c = 0; Q_memset(nullbuffer, 0, sizeof(nullbuffer)); int value = MSG_ReadShort(); + + if (value <= 0 || !SZ_HasSomethingToRead(&net_message, value)) + { + msg_badread = TRUE; + Con_DPrintf("%s: %s:%s invalid length: %d\n", __func__, host_client->name, NET_AdrToString(host_client->netchan.remote_address), value); + SV_DropClient(host_client, FALSE, "Invalid length"); + return; + } + COM_UnMunge(&net_message.data[msg_readcount], value, g_psvs.spawncount); MSG_StartBitReading(&net_message); @@ -1540,6 +1549,15 @@ void SV_ParseMove(client_t *pSenderClient) placeholder = msg_readcount + 1; mlen = MSG_ReadByte(); + + if (mlen <= 0 || !SZ_HasSpaceToRead(&net_message, mlen + 2)) + { + msg_badread = TRUE; + Con_DPrintf("%s: %s:%s invalid length: %d\n", __func__, host_client->name, NET_AdrToString(host_client->netchan.remote_address), mlen); + SV_DropClient(host_client, FALSE, "Invalid length"); + return; + } + cbchecksum = MSG_ReadByte(); COM_UnMunge(&net_message.data[placeholder + 1], mlen, host_client->netchan.incoming_sequence);