Skip to content

Commit e97c4bb

Browse files
author
Kevin Jenkins
committed
Fix DOS vulnerabilities reported by "8ARTEK0V0"
1 parent b7f6ab9 commit e97c4bb

File tree

1 file changed

+7
-5
lines changed

1 file changed

+7
-5
lines changed

Source/ReliabilityLayer.cpp

+7-5
Original file line numberDiff line numberDiff line change
@@ -735,12 +735,12 @@ bool ReliabilityLayer::HandleSocketReceiveFromConnectedPlayer(
735735
}
736736
for (i=0; i<incomingAcks.ranges.Size();i++)
737737
{
738-
if (incomingAcks.ranges[i].minIndex>incomingAcks.ranges[i].maxIndex)
738+
if (incomingAcks.ranges[i].minIndex>incomingAcks.ranges[i].maxIndex || (incomingAcks.ranges[i].maxIndex == (uint24_t)(0xFFFFFFFF)))
739739
{
740740
RakAssert(incomingAcks.ranges[i].minIndex<=incomingAcks.ranges[i].maxIndex);
741741

742742
for (unsigned int messageHandlerIndex=0; messageHandlerIndex < messageHandlerList.Size(); messageHandlerIndex++)
743-
messageHandlerList[messageHandlerIndex]->OnReliabilityLayerNotification("incomingAcks minIndex > maxIndex", BYTES_TO_BITS(length), systemAddress, true);
743+
messageHandlerList[messageHandlerIndex]->OnReliabilityLayerNotification("incomingAcks minIndex > maxIndex or maxIndex is max value", BYTES_TO_BITS(length), systemAddress, true);
744744
return false;
745745
}
746746
for (datagramNumber=incomingAcks.ranges[i].minIndex; datagramNumber >= incomingAcks.ranges[i].minIndex && datagramNumber <= incomingAcks.ranges[i].maxIndex; datagramNumber++)
@@ -3191,22 +3191,24 @@ InternalPacket * ReliabilityLayer::BuildPacketFromSplitPacketList( SplitPacketCh
31913191
#else
31923192
unsigned int j;
31933193
InternalPacket * internalPacket, *splitPacket;
3194-
int splitPacketPartLength;
3194+
// int splitPacketPartLength;
31953195

31963196
// Reconstruct
31973197
internalPacket = CreateInternalPacketCopy( splitPacketChannel->splitPacketList[0], 0, 0, time );
31983198
internalPacket->dataBitLength=0;
31993199
for (j=0; j < splitPacketChannel->splitPacketList.Size(); j++)
32003200
internalPacket->dataBitLength+=splitPacketChannel->splitPacketList[j]->dataBitLength;
3201-
splitPacketPartLength=BITS_TO_BYTES(splitPacketChannel->firstPacket->dataBitLength);
3201+
// splitPacketPartLength=BITS_TO_BYTES(splitPacketChannel->firstPacket->dataBitLength);
32023202

32033203
internalPacket->data = (unsigned char*) rakMalloc_Ex( (size_t) BITS_TO_BYTES( internalPacket->dataBitLength ), _FILE_AND_LINE_ );
32043204
internalPacket->allocationScheme=InternalPacket::NORMAL;
32053205

3206+
BitSize_t offset = 0;
32063207
for (j=0; j < splitPacketChannel->splitPacketList.Size(); j++)
32073208
{
32083209
splitPacket=splitPacketChannel->splitPacketList[j];
3209-
memcpy(internalPacket->data+splitPacket->splitPacketIndex*splitPacketPartLength, splitPacket->data, (size_t) BITS_TO_BYTES(splitPacketChannel->splitPacketList[j]->dataBitLength));
3210+
memcpy(internalPacket->data + BITS_TO_BYTES(offset), splitPacket->data, (size_t)BITS_TO_BYTES(splitPacketChannel->splitPacketList[j]->dataBitLength));
3211+
offset += splitPacketChannel->splitPacketList[j]->dataBitLength;
32103212
}
32113213

32123214
for (j=0; j < splitPacketChannel->splitPacketList.Size(); j++)

0 commit comments

Comments
 (0)