ref: 859247117dcbf5a92b9dcd9fa6754a773c84d932
parent: 01271d8b49ba6ba3226373e656fda2fa42ae70fb
author: Sigrid Solveig Haflínudóttir <sigrid@ftrv.se>
date: Fri Dec 15 08:52:48 EST 2023
sv: try (harder) not to overflow message buffers
--- a/sv_main.c
+++ b/sv_main.c
@@ -132,7 +132,7 @@
{
int i, v;
- if (sv.datagram.cursize > MAX_DATAGRAM-16)
+ if(sv.datagram.cursize > MAX_DATAGRAM-(1+3*4+3*1+1+1))
return;
MSG_WriteByte(&sv.datagram, svc_particle);
MSG_WriteVec(*sv.protocol, &sv.datagram, org);
@@ -172,7 +172,7 @@
int i;
int ent;
- if (sv.datagram.cursize > MAX_DATAGRAM-21)
+ if (sv.datagram.cursize > MAX_DATAGRAM-(1+1+1+1+2+1+2+3*4))
return;
// find precache number for sound
@@ -323,6 +323,7 @@
client->message.data = client->msgbuf;
client->message.maxsize = sizeof client->msgbuf;
client->message.allowoverflow = true; // we can catch it
+ client->message.name = "client.message";
if(sv.loadgame)
memcpy(client->spawn_parms, spawn_parms, sizeof spawn_parms);
@@ -508,8 +509,7 @@
continue;
}
- if (msg->cursize + 18 > msg->maxsize)
- {
+ if (msg->cursize + 32 > msg->maxsize){
Con_Printf ("packet overflow\n");
return;
}
@@ -645,6 +645,11 @@
// send a damage message
if (ent->v.dmg_take || ent->v.dmg_save)
{
+ if(msg->cursize + 3+3*4 > msg->maxsize){
+ Con_Printf ("packet overflow\n");
+ return;
+ }
+
other = PROG_TO_EDICT(sv.pr, ent->v.dmg_inflictor);
MSG_WriteByte (msg, svc_damage);
MSG_WriteByte (msg, ent->v.dmg_save);
@@ -660,8 +665,11 @@
SV_SetIdealPitch (); // how much to look up / down ideally
// a fixangle might get lost in a dropped packet. Oh well.
- if ( ent->v.fixangle )
- {
+ if(ent->v.fixangle ){
+ if(msg->cursize + 1+3*2 > msg->maxsize){
+ Con_Printf ("packet overflow\n");
+ return;
+ }
MSG_WriteByte (msg, svc_setangle);
for (i=0 ; i < 3 ; i++)
sv.protocol->MSG_WriteAngle (msg, ent->v.angles[i]);
@@ -668,6 +676,11 @@
ent->v.fixangle = 0;
}
+ if(msg->cursize + 64 > msg->maxsize){
+ Con_Printf("packet overflow\n");
+ return;
+ }
+
bits = SU_ITEMS | SU_WEAPON;
if (ent->v.view_ofs[2] != DEFAULT_VIEWHEIGHT)
bits |= SU_VIEWHEIGHT;
@@ -795,6 +808,7 @@
// allow big messages locally, but otherwise (real world) we're forced to use 1400 at most
msg.maxsize = client->netconnection->local ? MAX_DATAGRAM_LOCAL : MAX_DATAGRAM;
msg.cursize = 0;
+ msg.name = "client datagram";
MSG_WriteByte (&msg, svc_time);
MSG_WriteFloat (&msg, sv.time);
@@ -873,6 +887,7 @@
msg.data = buf;
msg.maxsize = sizeof buf;
msg.cursize = 0;
+ msg.name = "nop";
MSG_WriteChar (&msg, svc_nop);
@@ -1092,6 +1107,7 @@
msg.data = data;
msg.cursize = 0;
msg.maxsize = sizeof data;
+ msg.name = "reconnect";
MSG_WriteChar (&msg, svc_stufftext);
MSG_WriteString (&msg, "reconnect\n");