Skip to content

Commit 47b723c

Browse files
xezonxezon
authored
fix(netpacket): Protect text length value from overflowing in NetPacketChatCommand, NetPacketDisconnectChatCommand (#2284)
1 parent bc17ddf commit 47b723c

2 files changed

Lines changed: 18 additions & 12 deletions

File tree

Core/GameEngine/Include/GameNetwork/NetPacketStructs.h

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -194,6 +194,9 @@ struct NetPacketChatCommand {
194194
NetPacketDataField dataHeader;
195195
UnsignedByte textLength;
196196
// Variable fields: WideChar text[textLength] + Int playerMask
197+
198+
enum { MaxTextLen = 255 };
199+
static Int getUsableTextLength(const UnicodeString& text) { return min(text.getLength(), (Int)MaxTextLen); }
197200
};
198201

199202
struct NetPacketDisconnectChatCommand {
@@ -203,6 +206,9 @@ struct NetPacketDisconnectChatCommand {
203206
NetPacketDataField dataHeader;
204207
UnsignedByte textLength;
205208
// Variable fields: WideChar text[textLength]
209+
210+
enum { MaxTextLen = 255 };
211+
static Int getUsableTextLength(const UnicodeString& text) { return min(text.getLength(), (Int)MaxTextLen); }
206212
};
207213

208214
struct NetPacketGameCommand {

Core/GameEngine/Source/GameNetwork/NetPacket.cpp

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -714,7 +714,7 @@ void NetPacket::FillBufferWithDisconnectChatCommand(UnsignedByte *buffer, NetCom
714714
packet->dataHeader.header = NetPacketFieldTypes::Data;
715715

716716
UnicodeString unitext = cmdMsg->getText();
717-
packet->textLength = unitext.getLength();
717+
packet->textLength = NetPacketDisconnectChatCommand::getUsableTextLength(unitext);
718718

719719
// Variable data portion
720720
UnsignedShort offset = sizeof(NetPacketDisconnectChatCommand);
@@ -758,7 +758,7 @@ void NetPacket::FillBufferWithChatCommand(UnsignedByte *buffer, NetCommandRef *m
758758
packet->dataHeader.header = NetPacketFieldTypes::Data;
759759

760760
UnicodeString unitext = cmdMsg->getText();
761-
packet->textLength = unitext.getLength();
761+
packet->textLength = NetPacketChatCommand::getUsableTextLength(unitext);
762762

763763
// Variable data portion
764764
UnsignedShort offset = sizeof(NetPacketChatCommand);
@@ -2299,12 +2299,12 @@ Bool NetPacket::addDisconnectChatCommand(NetCommandRef *msg) {
22992299
m_packet[m_packetLen] = NetPacketFieldTypes::Data;
23002300
++m_packetLen;
23012301
UnicodeString unitext = cmdMsg->getText();
2302-
UnsignedByte length = unitext.getLength();
2303-
memcpy(m_packet + m_packetLen, &length, sizeof(UnsignedByte));
2302+
UnsignedByte textLen = NetPacketDisconnectChatCommand::getUsableTextLength(unitext);
2303+
memcpy(m_packet + m_packetLen, &textLen, sizeof(UnsignedByte));
23042304
m_packetLen += sizeof(UnsignedByte);
23052305

2306-
memcpy(m_packet + m_packetLen, unitext.str(), length * sizeof(UnsignedShort));
2307-
m_packetLen += length * sizeof(UnsignedShort);
2306+
memcpy(m_packet + m_packetLen, unitext.str(), textLen * sizeof(UnsignedShort));
2307+
m_packetLen += textLen * sizeof(UnsignedShort);
23082308

23092309
// DEBUG_LOG_LEVEL(DEBUG_LEVEL_NET, ("NetPacket - added disconnect chat command"));
23102310

@@ -2335,7 +2335,7 @@ Bool NetPacket::isRoomForDisconnectChatMessage(NetCommandRef *msg) {
23352335

23362336
++len; // for NetPacketFieldTypes::Data
23372337
len += sizeof(UnsignedByte); // string length
2338-
UnsignedByte textLen = cmdMsg->getText().getLength();
2338+
UnsignedByte textLen = NetPacketDisconnectChatCommand::getUsableTextLength(cmdMsg->getText());
23392339
len += textLen * sizeof(UnsignedShort);
23402340
if ((len + m_packetLen) > MAX_PACKET_SIZE) {
23412341
return FALSE;
@@ -2410,13 +2410,13 @@ Bool NetPacket::addChatCommand(NetCommandRef *msg) {
24102410
m_packet[m_packetLen] = NetPacketFieldTypes::Data;
24112411
++m_packetLen;
24122412
UnicodeString unitext = cmdMsg->getText();
2413-
UnsignedByte length = unitext.getLength();
2413+
UnsignedByte textLen = NetPacketChatCommand::getUsableTextLength(unitext);
24142414
Int playerMask = cmdMsg->getPlayerMask();
2415-
memcpy(m_packet + m_packetLen, &length, sizeof(UnsignedByte));
2415+
memcpy(m_packet + m_packetLen, &textLen, sizeof(UnsignedByte));
24162416
m_packetLen += sizeof(UnsignedByte);
24172417

2418-
memcpy(m_packet + m_packetLen, unitext.str(), length * sizeof(UnsignedShort));
2419-
m_packetLen += length * sizeof(UnsignedShort);
2418+
memcpy(m_packet + m_packetLen, unitext.str(), textLen * sizeof(UnsignedShort));
2419+
m_packetLen += textLen * sizeof(UnsignedShort);
24202420

24212421
memcpy(m_packet + m_packetLen, &playerMask, sizeof(Int));
24222422
m_packetLen += sizeof(Int);
@@ -2458,7 +2458,7 @@ Bool NetPacket::isRoomForChatMessage(NetCommandRef *msg) {
24582458

24592459
++len; // for NetPacketFieldTypes::Data
24602460
len += sizeof(UnsignedByte); // string length
2461-
UnsignedByte textLen = cmdMsg->getText().getLength();
2461+
UnsignedByte textLen = NetPacketChatCommand::getUsableTextLength(cmdMsg->getText());
24622462
len += textLen * sizeof(UnsignedShort);
24632463
len += sizeof(Int); // playerMask
24642464
if ((len + m_packetLen) > MAX_PACKET_SIZE) {

0 commit comments

Comments
 (0)