diff options
author | thilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2006-06-04 13:45:53 +0000 |
---|---|---|
committer | thilo <thilo@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2006-06-04 13:45:53 +0000 |
commit | 3b2cb2af2303bb9bcc07a946846afc59b1f44fe1 (patch) | |
tree | 8fc470828528bca54305ddcf52217ba978a245aa | |
parent | 9ec60051feda995069d17a9590ccaf13dbef895c (diff) | |
download | ioquake3-aero-3b2cb2af2303bb9bcc07a946846afc59b1f44fe1.tar.gz ioquake3-aero-3b2cb2af2303bb9bcc07a946846afc59b1f44fe1.zip |
Fix remotely exploitable parse download overflow reported by Luigi Auriemma.
See http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046578.html
for the advisory.
git-svn-id: svn://svn.icculus.org/quake3/trunk@796 edf5b092-35ff-0310-97b2-ce42778d08ea
-rw-r--r-- | code/client/cl_parse.c | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/code/client/cl_parse.c b/code/client/cl_parse.c index e9eddc7..81bdf5c 100644 --- a/code/client/cl_parse.c +++ b/code/client/cl_parse.c @@ -255,6 +255,13 @@ void CL_ParseSnapshot( msg_t *msg ) { // read areamask len = MSG_ReadByte( msg ); + + if(len > sizeof(newSnap.areamask)) + { + Com_Error (ERR_DROP,"CL_ParseSnapshot: Invalid size %d for areamask.", len); + return; + } + MSG_ReadData( msg, &newSnap.areamask, len); // read playerinfo @@ -475,6 +482,12 @@ void CL_ParseDownload ( msg_t *msg ) { unsigned char data[MAX_MSGLEN]; int block; + if (!*clc.downloadTempName) { + Com_Printf("Server sending download, but no download was requested\n"); + CL_AddReliableCommand( "stopdl" ); + return; + } + // read the data block = MSG_ReadShort ( msg ); @@ -493,8 +506,13 @@ void CL_ParseDownload ( msg_t *msg ) { } size = MSG_ReadShort ( msg ); - if (size > 0) - MSG_ReadData( msg, data, size ); + if (size < 0 || size > sizeof(data)) + { + Com_Error(ERR_DROP, "CL_ParseDownload: Invalid size %d for download chunk.", size); + return; + } + + MSG_ReadData(msg, data, size); if (clc.downloadBlock != block) { Com_DPrintf( "CL_ParseDownload: Expected block %d, got %d\n", clc.downloadBlock, block); @@ -504,12 +522,6 @@ void CL_ParseDownload ( msg_t *msg ) { // open the file if not opened yet if (!clc.download) { - if (!*clc.downloadTempName) { - Com_Printf("Server sending download, but no download was requested\n"); - CL_AddReliableCommand( "stopdl" ); - return; - } - clc.download = FS_SV_FOpenFileWrite( clc.downloadTempName ); if (!clc.download) { |