From: timoore <timoore>
Date: Fri, 7 Dec 2007 12:43:42 +0000 (+0000)
Subject: Check for valid multiplayer packet.
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=d6c97951ca9e4ea910bbeb3e0d5772ee6198266f;p=flightgear.git

Check for valid multiplayer packet.

Instead of just reporting that the magic number, length, etc. of a
multiplayer packet is invalid, abort processing this packet. Also,
check if enough space remains to send a property string.
---

diff --git a/src/MultiPlayer/multiplaymgr.cxx b/src/MultiPlayer/multiplaymgr.cxx
index e7cf7be75..c778a30a2 100644
--- a/src/MultiPlayer/multiplaymgr.cxx
+++ b/src/MultiPlayer/multiplaymgr.cxx
@@ -306,7 +306,7 @@ FGMultiplayMgr::SendMyPosition(const FGExternalMotionData& motionInfo)
   it = motionInfo.properties.begin();
   //cout << "OUTPUT PROPERTIES\n";
   while (it != motionInfo.properties.end()
-         && ptr < (Msg + MAX_PACKET_SIZE - sizeof(xdr_data_t))) {
+         && ptr + 2 * sizeof(xdr_data_t) < (Msg + MAX_PACKET_SIZE)) {
              
     // First elements is the ID
     xdr_data_t xdr = XDR_encode_uint32((*it)->id);
@@ -344,6 +344,10 @@ FGMultiplayMgr::SendMyPosition(const FGExternalMotionData& motionInfo)
             // Add the length         
             ////cout << "String length: " << strlen(lcharptr) << "\n";
             uint32_t len = strlen(lcharptr);
+            // XXX This should not be using 4 bytes per character!
+            if (ptr + (1 + len + (4 - len % 4)) * sizeof (xdr_data_t)
+                >= (Msg + MAX_PACKET_SIZE))
+                goto escape;
             //cout << "String length unint32: " << len << "\n";
             xdr = XDR_encode_uint32(len);
             memcpy(ptr, &xdr, sizeof(xdr_data_t));
@@ -352,7 +356,8 @@ FGMultiplayMgr::SendMyPosition(const FGExternalMotionData& motionInfo)
             if (len != 0)
             {
 
-              // Now the text itself          
+              // Now the text itself
+              // XXX This should not be using 4 bytes per character!
               int lcount = 0;
               while ((*lcharptr != '\0') && (lcount < MAX_TEXT_SIZE)) 
               {
@@ -401,7 +406,8 @@ FGMultiplayMgr::SendMyPosition(const FGExternalMotionData& motionInfo)
         
     ++it;
   }
-
+escape:
+  
   T_MsgHdr MsgHdr;
   FillMsgHdr(&MsgHdr, POS_DATA_ID, ptr - Msg);
   memcpy(Msg, &MsgHdr, sizeof(T_MsgHdr));
@@ -508,14 +514,17 @@ FGMultiplayMgr::Update(void)
     if (MsgHdr->Magic != MSG_MAGIC) {
       SG_LOG( SG_NETWORK, SG_ALERT, "FGMultiplayMgr::MP_ProcessData - "
               << "message has invalid magic number!" );
+      break;
     }
     if (MsgHdr->Version != PROTO_VER) {
       SG_LOG( SG_NETWORK, SG_ALERT, "FGMultiplayMgr::MP_ProcessData - "
               << "message has invalid protocoll number!" );
+      break;
     }
     if (MsgHdr->MsgLen != bytes) {
       SG_LOG( SG_NETWORK, SG_ALERT, "FGMultiplayMgr::MP_ProcessData - "
               << "message has invalid length!" );
+      break;
     }
     //////////////////////////////////////////////////
     //  Process messages