A few more sanity checks from upstream svn. Index: src/NetPanzer/Interfaces/ChatInterface.cpp =================================================================== --- src/NetPanzer/Interfaces/ChatInterface.cpp (revision 928) +++ src/NetPanzer/Interfaces/ChatInterface.cpp (revision 929) @@ -39,9 +39,16 @@ ChatMesg chat_mesg; const ChatMesgRequest* chat_request = (const ChatMesgRequest*) message; + if(chat_request->getSourcePlayerIndex() >= PlayerInterface::getMaxPlayers()) + { + LOGGER.warning("Invalid chatMessageRequest"); + return; + } + chat_mesg.setSourcePlayerIndex(chat_request->getSourcePlayerIndex()); chat_mesg.message_scope = chat_request->message_scope; - strcpy( chat_mesg.message_text, chat_request->message_text ); + snprintf(chat_mesg.message_text, sizeof(chat_mesg.message_text), "%s", + chat_request->message_text); if( chat_request->message_scope == _chat_mesg_scope_all ) { SERVER->sendMessage(&chat_mesg, sizeof(ChatMesg)); @@ -126,6 +133,11 @@ unsigned short local_player_index; const ChatMesg *chat_mesg = (const ChatMesg*) message; + if(chat_mesg->getSourcePlayerIndex() >= PlayerInterface::getMaxPlayers()) { + LOGGER.warning("malformed chatmessage packet."); + return; + } + if( chat_mesg->message_scope == _chat_mesg_scope_server ) { ConsoleInterface::postMessage("Server: %s", chat_mesg->message_text ); return; Index: src/NetPanzer/Interfaces/GameManager.cpp =================================================================== --- src/NetPanzer/Interfaces/GameManager.cpp (revision 928) +++ src/NetPanzer/Interfaces/GameManager.cpp (revision 929) @@ -411,6 +411,11 @@ = (const SystemConnectAlert*) message; PlayerState *player_state = 0; + if(connect_alert->getPlayerID() >= PlayerInterface::getMaxPlayers()) { + LOGGER.warning("Malformed connect alert message."); + return; + } + player_state = PlayerInterface::getPlayerState( connect_alert->getPlayerID() ); switch (connect_alert->alert_enum) { @@ -471,6 +476,11 @@ const SystemPingRequest *ping_request = (const SystemPingRequest*) message; + if(ping_request->getClientPlayerIndex() >= PlayerInterface::getMaxPlayers()) { + LOGGER.warning("Invalid pingRequest message"); + return; + } + player_id = PlayerInterface::getPlayerID( ping_request->getClientPlayerIndex() ); SystemPingAcknowledge ping_ack; Index: src/NetPanzer/Interfaces/PlayerInterface.cpp =================================================================== --- src/NetPanzer/Interfaces/PlayerInterface.cpp (revision 928) +++ src/NetPanzer/Interfaces/PlayerInterface.cpp (revision 929) @@ -25,6 +25,7 @@ #include "PlayerNetMessage.hpp" #include "Server.hpp" #include "NetworkServer.hpp" +#include "Util/Log.hpp" #include "ConsoleInterface.hpp" // for UNIT_FLAGS_SURFACE @@ -410,6 +411,10 @@ = (const PlayerConnectID *) message; local_player_index = connect_mesg->connect_state.getPlayerIndex(); + if(local_player_index >= max_players) { + LOGGER.warning("Invalide netMessageConnectID Message"); + return; + } SDL_mutexP(mutex); player_lists[local_player_index].setFromNetworkPlayerState @@ -423,6 +428,12 @@ const PlayerStateSync *sync_mesg = (const PlayerStateSync *) message; uint16_t player_index = sync_mesg->player_state.getPlayerIndex(); + + if(player_index >= max_players) { + LOGGER.warning("Malformed MessageSyncState message"); + return; + } + SDL_mutexP(mutex); player_lists[player_index].setFromNetworkPlayerState(&sync_mesg->player_state); forceUniquePlayerFlags(); @@ -475,6 +486,14 @@ const PlayerScoreUpdate* score_update = (const PlayerScoreUpdate *) message; + if(score_update->getKillByPlayerIndex() >= PlayerInterface::getMaxPlayers() + || score_update->getKillOnPlayerIndex() + >= PlayerInterface::getMaxPlayers()) + { + LOGGER.warning("Malformed scrore update packet."); + return; + } + PlayerState* player1 = getPlayer(score_update->getKillByPlayerIndex()); PlayerState* player2 = getPlayer(score_update->getKillOnPlayerIndex()); setKill(player1, player2, (UnitType) score_update->unit_type ); @@ -487,6 +506,12 @@ const PlayerAllianceRequest *allie_request = (const PlayerAllianceRequest *) message; + if(allie_request->getAllieByPlayerIndex() >= max_players + || allie_request->getAllieWithPlayerIndex() >= max_players) { + LOGGER.warning("Invalid alliance request message"); + return; + } + SDL_mutexP(mutex); if ( allie_request->alliance_request_type == _player_make_alliance ) { setAlliance( @@ -541,6 +566,12 @@ const PlayerAllianceUpdate* allie_update = (const PlayerAllianceUpdate *) message; + if(allie_update->getAllieByPlayerIndex() >= max_players + || allie_update->getAllieWithPlayerIndex() >= max_players) { + LOGGER.warning("Invalid alliance update message"); + return; + } + SDL_mutexP(mutex); if (allie_update->alliance_update_type == _player_make_alliance) { setAlliance( Index: src/NetPanzer/Interfaces/InfoThread.cpp =================================================================== --- src/NetPanzer/Interfaces/InfoThread.cpp (revision 928) +++ src/NetPanzer/Interfaces/InfoThread.cpp (revision 929) @@ -174,15 +174,20 @@ InfoThread::sendPlayers(std::stringstream& out) { ObjectiveInterface::updatePlayerObjectiveCounts(); - for(int i = 0; i < PlayerInterface::countPlayers(); ++i) { + int n = 0; + for(int i = 0; i < PlayerInterface::getMaxPlayers(); ++i) { PlayerState* playerState = PlayerInterface::getPlayerState(i); - out << "player_" << i << "\\" << playerState->getName() << "\\" - << "kills_" << i << "\\" << playerState->getKills() << "\\" - << "deaths_" << i << "\\" << playerState->getLosses() << "\\" - << "score_" << i << "\\" + if(playerState->getStatus() != _player_state_active) + continue; + + out << "player_" << n << "\\" << playerState->getName() << "\\" + << "kills_" << n << "\\" << playerState->getKills() << "\\" + << "deaths_" << n << "\\" << playerState->getLosses() << "\\" + << "score_" << n << "\\" << playerState->getObjectivesHeld() << "\\" - << "flag_" << i << "\\" + << "flag_" << n << "\\" << (int) playerState->getFlag() << "\\"; + n++; } // TODO add team/alliance info } Index: src/NetPanzer/Classes/Network/NetMessageDecoder.cpp =================================================================== --- src/NetPanzer/Classes/Network/NetMessageDecoder.cpp (revision 928) +++ src/NetPanzer/Classes/Network/NetMessageDecoder.cpp (revision 929) @@ -57,6 +57,12 @@ return false; *message = (NetMessage *) (decode_message.data + decode_message_index); + if( (*message)->getSize() > + decode_message.getSize() - decode_message.getHeaderSize() - + decode_message_index) { + LOGGER.warning("Malformed Multimessage!"); + return false; + } decode_message_index += (*message)->getSize(); decode_current_count++; Index: src/NetPanzer/Classes/Objective.cpp =================================================================== --- src/NetPanzer/Classes/Objective.cpp (revision 928) +++ src/NetPanzer/Classes/Objective.cpp (revision 929) @@ -69,6 +69,11 @@ { const SyncObjective *sync_mesg = (const SyncObjective*) message; + if(sync_mesg->getOccupyingPlayerID() >= PlayerInterface::getMaxPlayers()) { + LOGGER.warning("Malformed ObjectvieMesgSync"); + return; + } + objective_state.objective_status = sync_mesg->objective_status; objective_state.occupation_status = sync_mesg->occupation_status; if(objective_state.occupation_status != _occupation_status_unoccupied) {