Fix potential buffer overflow in xrGameSpyServer::OnMessage.

OpenXRay · Oct 9, 2014 · 99de510 · Xottab-DUTY · Mar 9, 2019 · 99de510
1 parent 9bef2c2
commit 99de510
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/src/xrGame/xrGameSpyServer.cpp b/src/xrGame/xrGameSpyServer.cpp
@@ -167,9 +167,18 @@ u32				xrGameSpyServer::OnMessage(NET_Packet& P, ClientID sender)			// Non-Zero
 	{
 	case M_GAMESPY_CDKEY_VALIDATION_CHALLENGE_RESPOND:
 		{
-			string128 ResponseStr;
-			P.r_stringZ(ResponseStr);
-
+            string128 ResponseStr = "";
+            u32 bytesRemain = P.r_elapsed();
+            if (bytesRemain == 0 || bytesRemain > sizeof(ResponseStr))
+            {
+                xr_string clientIp = CL->m_cAddress.to_string();
+                Msg("! WARNING: Validation challenge respond from client [%s] is %s. DoS attack?",
+                    clientIp.c_str(), bytesRemain == 0 ? "empty" : "too long");
+                DisconnectClient(CL, "");
+                // XXX nitrocaster: block IP address after X such attempts
+                return 0;
+            }
+            P.r_stringZ(ResponseStr);
 			if (!CL->m_bCDKeyAuth)
 			{
 #ifndef MASTER_GOLD