games-strategy/freeciv/files/freeciv-2.0.8-DoS.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

--- trunk/server/unithand.c	2006/07/12 17:18:43	12065
+++ trunk/server/unithand.c	2006/07/16 12:15:25	12106
@@ -1622,7 +1622,8 @@
   struct tile *src_tile = map_pos_to_tile(packet->src_x, packet->src_y);
   int i;
 
-  if (!punit || packet->length < 0 || punit->activity != ACTIVITY_IDLE) {
+  if (!punit || packet->length < 0 || punit->activity != ACTIVITY_IDLE
+      || packet->length > MAX_LEN_ROUTE) {
     return;
   }
 
--- trunk/common/packets.c	2006/03/04 02:42:00	11710
+++ trunk/common/packets.c	2006/07/24 08:37:08	12146
@@ -562,8 +562,11 @@
 	  chunk->total_length, chunk->chunk_length);
 
   if (chunk->total_length < 0
+      || chunk->chunk_length < 0
       || chunk->total_length >= MAX_ATTRIBUTE_BLOCK
       || chunk->offset < 0
+      || chunk->offset > chunk->total_length /* necessary check on 32 bit systems */
+      || chunk->chunk_length > chunk->total_length
       || chunk->offset + chunk->chunk_length > chunk->total_length
       || (chunk->offset != 0
           && chunk->total_length != pplayer->attribute_block_buffer.length)) {