2
0
mirror of https://github.com/rehlds/rehlds.git synced 2024-12-29 08:05:50 +03:00

SV_ParseMove, SV_ParseConsistencyResponse: check length

This commit is contained in:
s1lentq 2021-06-12 00:22:30 +07:00
parent 05c7601f1e
commit 801be3ee5b
3 changed files with 36 additions and 0 deletions

View File

@ -1164,6 +1164,22 @@ void SZ_Clear(sizebuf_t *buf)
buf->cursize = 0; buf->cursize = 0;
} }
qboolean SZ_HasSpaceToRead(const sizebuf_t *buf, int length)
{
if ((msg_readcount + length) > buf->maxsize)
return FALSE;
return TRUE;
}
qboolean SZ_HasSomethingToRead(const sizebuf_t *buf, int length)
{
if ((msg_readcount + length) > buf->cursize)
return FALSE;
return TRUE;
}
void *EXT_FUNC SZ_GetSpace(sizebuf_t *buf, int length) void *EXT_FUNC SZ_GetSpace(sizebuf_t *buf, int length)
{ {
void *data; void *data;

View File

@ -159,6 +159,8 @@ void MSG_ReadUsercmd(usercmd_t *to, usercmd_t *from);
void SZ_Alloc(const char *name, sizebuf_t *buf, int startsize); void SZ_Alloc(const char *name, sizebuf_t *buf, int startsize);
void SZ_Clear(sizebuf_t *buf); void SZ_Clear(sizebuf_t *buf);
qboolean SZ_HasSpaceToRead(const sizebuf_t *buf, int length);
qboolean SZ_HasSomethingToRead(const sizebuf_t *buf, int length);
void *SZ_GetSpace(sizebuf_t *buf, int length); void *SZ_GetSpace(sizebuf_t *buf, int length);
void SZ_Write(sizebuf_t *buf, const void *data, int length); void SZ_Write(sizebuf_t *buf, const void *data, int length);
void SZ_Print(sizebuf_t *buf, const char *data); void SZ_Print(sizebuf_t *buf, const char *data);

View File

@ -93,6 +93,15 @@ void SV_ParseConsistencyResponse(client_t *pSenderClient)
int c = 0; int c = 0;
Q_memset(nullbuffer, 0, sizeof(nullbuffer)); Q_memset(nullbuffer, 0, sizeof(nullbuffer));
int value = MSG_ReadShort(); int value = MSG_ReadShort();
if (value <= 0 || !SZ_HasSomethingToRead(&net_message, value))
{
msg_badread = TRUE;
Con_DPrintf("%s: %s:%s invalid length: %d\n", __func__, host_client->name, NET_AdrToString(host_client->netchan.remote_address), value);
SV_DropClient(host_client, FALSE, "Invalid length");
return;
}
COM_UnMunge(&net_message.data[msg_readcount], value, g_psvs.spawncount); COM_UnMunge(&net_message.data[msg_readcount], value, g_psvs.spawncount);
MSG_StartBitReading(&net_message); MSG_StartBitReading(&net_message);
@ -1540,6 +1549,15 @@ void SV_ParseMove(client_t *pSenderClient)
placeholder = msg_readcount + 1; placeholder = msg_readcount + 1;
mlen = MSG_ReadByte(); mlen = MSG_ReadByte();
if (mlen <= 0 || !SZ_HasSpaceToRead(&net_message, mlen + 2))
{
msg_badread = TRUE;
Con_DPrintf("%s: %s:%s invalid length: %d\n", __func__, host_client->name, NET_AdrToString(host_client->netchan.remote_address), mlen);
SV_DropClient(host_client, FALSE, "Invalid length");
return;
}
cbchecksum = MSG_ReadByte(); cbchecksum = MSG_ReadByte();
COM_UnMunge(&net_message.data[placeholder + 1], mlen, host_client->netchan.incoming_sequence); COM_UnMunge(&net_message.data[placeholder + 1], mlen, host_client->netchan.incoming_sequence);