aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorthilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea>2006-06-04 13:45:53 +0000
committerthilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea>2006-06-04 13:45:53 +0000
commit3b2cb2af2303bb9bcc07a946846afc59b1f44fe1 (patch)
tree8fc470828528bca54305ddcf52217ba978a245aa
parent9ec60051feda995069d17a9590ccaf13dbef895c (diff)
downloadioquake3-aero-3b2cb2af2303bb9bcc07a946846afc59b1f44fe1.tar.gz
ioquake3-aero-3b2cb2af2303bb9bcc07a946846afc59b1f44fe1.zip
Fix remotely exploitable parse download overflow reported by Luigi Auriemma.
See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html for the advisory. git-svn-id: svn://svn.icculus.org/quake3/trunk@796 edf5b092-35ff-0310-97b2-ce42778d08ea
-rw-r--r--code/client/cl_parse.c28
1 files changed, 20 insertions, 8 deletions
diff --git a/code/client/cl_parse.c b/code/client/cl_parse.c
index e9eddc7..81bdf5c 100644
--- a/code/client/cl_parse.c
+++ b/code/client/cl_parse.c
@@ -255,6 +255,13 @@ void CL_ParseSnapshot( msg_t *msg ) {
// read areamask
len = MSG_ReadByte( msg );
+
+ if(len > sizeof(newSnap.areamask))
+ {
+ Com_Error (ERR_DROP,"CL_ParseSnapshot: Invalid size %d for areamask.", len);
+ return;
+ }
+
MSG_ReadData( msg, &newSnap.areamask, len);
// read playerinfo
@@ -475,6 +482,12 @@ void CL_ParseDownload ( msg_t *msg ) {
unsigned char data[MAX_MSGLEN];
int block;
+ if (!*clc.downloadTempName) {
+ Com_Printf("Server sending download, but no download was requested\n");
+ CL_AddReliableCommand( "stopdl" );
+ return;
+ }
+
// read the data
block = MSG_ReadShort ( msg );
@@ -493,8 +506,13 @@ void CL_ParseDownload ( msg_t *msg ) {
}
size = MSG_ReadShort ( msg );
- if (size > 0)
- MSG_ReadData( msg, data, size );
+ if (size < 0 || size > sizeof(data))
+ {
+ Com_Error(ERR_DROP, "CL_ParseDownload: Invalid size %d for download chunk.", size);
+ return;
+ }
+
+ MSG_ReadData(msg, data, size);
if (clc.downloadBlock != block) {
Com_DPrintf( "CL_ParseDownload: Expected block %d, got %d\n", clc.downloadBlock, block);
@@ -504,12 +522,6 @@ void CL_ParseDownload ( msg_t *msg ) {
// open the file if not opened yet
if (!clc.download)
{
- if (!*clc.downloadTempName) {
- Com_Printf("Server sending download, but no download was requested\n");
- CL_AddReliableCommand( "stopdl" );
- return;
- }
-
clc.download = FS_SV_FOpenFileWrite( clc.downloadTempName );
if (!clc.download) {