<URL: http://bugs.freeciv.org/Ticket/Display.html?id=39746 >
The connection should be broken when the client or the server receive a packet with an array size of one of his member > to the maximum of the definition. For example: PACKET_ENDGAME_REPORT=13;sc,lsend UINT8 nscores; PLAYER id[MAX_NUM_PLAYERS:nscores]; UINT16 score[MAX_NUM_PLAYERS:nscores]; UINT32 pop[MAX_NUM_PLAYERS:nscores]; UINT16 bnp[MAX_NUM_PLAYERS:nscores]; UINT16 mfg[MAX_NUM_PLAYERS:nscores]; UINT16 cities[MAX_NUM_PLAYERS:nscores]; UINT16 techs[MAX_NUM_PLAYERS:nscores]; UINT16 mil_service[MAX_NUM_PLAYERS:nscores]; UINT8 wonders[MAX_NUM_PLAYERS:nscores]; UINT16 research[MAX_NUM_PLAYERS:nscores]; UINT32 landarea[MAX_NUM_PLAYERS:nscores]; UINT32 settledarea[MAX_NUM_PLAYERS:nscores]; UINT16 literacy[MAX_NUM_PLAYERS:nscores]; UINT32 spaceship[MAX_NUM_PLAYERS:nscores]; end A such packet shouldn't be accepted if nscores > MAX_NUM_PLAYERS. This should at prevent some crashes about compatibility. Because it seems that a hacked client is able to crash any server if its user change one of the maximum value. _______________________________________________ Freeciv-dev mailing list Freeciv-dev@gna.org https://mail.gna.org/listinfo/freeciv-dev
