fly/flightgear
1
0
Fork 0
Code Activity

Check for valid multiplayer packet.

Browse source 
Instead of just reporting that the magic number, length, etc. of a
multiplayer packet is invalid, abort processing this packet. Also,
check if enough space remains to send a property string.
This commit is contained in:
timoore 2007-12-07 12:43:42 +00:00
parent 743522fcd1
commit d6c97951ca
1 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/MultiPlayer/multiplaymgr.cxx
View file

@ -306,7 +306,7 @@ FGMultiplayMgr::SendMyPosition(const FGExternalMotionData& motionInfo)
it = motionInfo.properties.begin(); it = motionInfo.properties.begin();
//cout << "OUTPUT PROPERTIES\n"; //cout << "OUTPUT PROPERTIES\n";
while (it != motionInfo.properties.end() while (it != motionInfo.properties.end()
&& ptr < (Msg + MAX_PACKET_SIZE - sizeof(xdr_data_t))) { && ptr + 2 * sizeof(xdr_data_t) < (Msg + MAX_PACKET_SIZE)) {
// First elements is the ID // First elements is the ID
xdr_data_t xdr = XDR_encode_uint32((*it)->id); xdr_data_t xdr = XDR_encode_uint32((*it)->id);
@ -344,6 +344,10 @@ FGMultiplayMgr::SendMyPosition(const FGExternalMotionData& motionInfo)
// Add the length // Add the length
////cout << "String length: " << strlen(lcharptr) << "\n"; ////cout << "String length: " << strlen(lcharptr) << "\n";
uint32_t len = strlen(lcharptr); uint32_t len = strlen(lcharptr);
// XXX This should not be using 4 bytes per character!
if (ptr + (1 + len + (4 - len % 4)) * sizeof (xdr_data_t)
>= (Msg + MAX_PACKET_SIZE))
goto escape;
//cout << "String length unint32: " << len << "\n"; //cout << "String length unint32: " << len << "\n";
xdr = XDR_encode_uint32(len); xdr = XDR_encode_uint32(len);
memcpy(ptr, &xdr, sizeof(xdr_data_t)); memcpy(ptr, &xdr, sizeof(xdr_data_t));
@ -353,6 +357,7 @@ FGMultiplayMgr::SendMyPosition(const FGExternalMotionData& motionInfo)
{ {
// Now the text itself // Now the text itself
// XXX This should not be using 4 bytes per character!
int lcount = 0; int lcount = 0;
while ((*lcharptr != '\0') && (lcount < MAX_TEXT_SIZE)) while ((*lcharptr != '\0') && (lcount < MAX_TEXT_SIZE))
{ {
@ -401,6 +406,7 @@ FGMultiplayMgr::SendMyPosition(const FGExternalMotionData& motionInfo)
++it; ++it;
} }
escape:
T_MsgHdr MsgHdr; T_MsgHdr MsgHdr;
FillMsgHdr(&MsgHdr, POS_DATA_ID, ptr - Msg); FillMsgHdr(&MsgHdr, POS_DATA_ID, ptr - Msg);
@ -508,14 +514,17 @@ FGMultiplayMgr::Update(void)
if (MsgHdr->Magic != MSG_MAGIC) { if (MsgHdr->Magic != MSG_MAGIC) {
SG_LOG( SG_NETWORK, SG_ALERT, "FGMultiplayMgr::MP_ProcessData - " SG_LOG( SG_NETWORK, SG_ALERT, "FGMultiplayMgr::MP_ProcessData - "
<< "message has invalid magic number!" ); << "message has invalid magic number!" );
break;
} }
if (MsgHdr->Version != PROTO_VER) { if (MsgHdr->Version != PROTO_VER) {
SG_LOG( SG_NETWORK, SG_ALERT, "FGMultiplayMgr::MP_ProcessData - " SG_LOG( SG_NETWORK, SG_ALERT, "FGMultiplayMgr::MP_ProcessData - "
<< "message has invalid protocoll number!" ); << "message has invalid protocoll number!" );
break;
} }
if (MsgHdr->MsgLen != bytes) { if (MsgHdr->MsgLen != bytes) {
SG_LOG( SG_NETWORK, SG_ALERT, "FGMultiplayMgr::MP_ProcessData - " SG_LOG( SG_NETWORK, SG_ALERT, "FGMultiplayMgr::MP_ProcessData - "
<< "message has invalid length!" ); << "message has invalid length!" );
break;
} }
////////////////////////////////////////////////// //////////////////////////////////////////////////
// Process messages // Process messages