phaneron/Kelsidavis-WoWee
1
0
Fork 0
mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-05-03 00:03:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Harden TrainerListParser against truncated packets

Browse source 
Add upfront validation for header fields and per-spell bounds checking
before reading trainer spell data. Gracefully handle truncated greeting.
This commit is contained in:
Kelsi 2026-03-11 14:44:52 -07:00
parent 26f1a2d606
commit 1979aa926b
1 changed files with 15 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/game/world_packets.cpp
View file

@ -4487,6 +4487,8 @@ bool TrainerListParser::parse(network::Packet& packet, TrainerListData& data, bo
// Classic per-entry: spellId(4) + state(1) + cost(4) + reqLevel(1) + // Classic per-entry: spellId(4) + state(1) + cost(4) + reqLevel(1) +
// reqSkill(4) + reqSkillValue(4) + chain×3(12) + unk(4) = 34 bytes // reqSkill(4) + reqSkillValue(4) + chain×3(12) + unk(4) = 34 bytes
data = TrainerListData{}; data = TrainerListData{};
if (packet.getSize() - packet.getReadPos() < 16) return false; // guid(8) + type(4) + count(4)
data.trainerGuid = packet.readUInt64(); data.trainerGuid = packet.readUInt64();
data.trainerType = packet.readUInt32(); data.trainerType = packet.readUInt32();
uint32_t spellCount = packet.readUInt32(); uint32_t spellCount = packet.readUInt32();
@ -4498,6 +4500,13 @@ bool TrainerListParser::parse(network::Packet& packet, TrainerListData& data, bo
data.spells.reserve(spellCount); data.spells.reserve(spellCount);
for (uint32_t i = 0; i < spellCount; ++i) { for (uint32_t i = 0; i < spellCount; ++i) {
// Validate minimum entry size before reading
const size_t minEntrySize = isClassic ? 34 : 38;
if (packet.getReadPos() + minEntrySize > packet.getSize()) {
LOG_WARNING("TrainerListParser: truncated at spell ", i);
break;
}
TrainerSpell spell; TrainerSpell spell;
spell.spellId = packet.readUInt32(); spell.spellId = packet.readUInt32();
spell.state = packet.readUInt8(); spell.state = packet.readUInt8();
@ -4524,7 +4533,12 @@ bool TrainerListParser::parse(network::Packet& packet, TrainerListData& data, bo
data.spells.push_back(spell); data.spells.push_back(spell);
} }
data.greeting = packet.readString(); if (packet.getReadPos() >= packet.getSize()) {
LOG_WARNING("TrainerListParser: truncated before greeting");
data.greeting.clear();
} else {
data.greeting = packet.readString();
}
LOG_INFO("Trainer list (", isClassic ? "Classic" : "TBC/WotLK", "): ", LOG_INFO("Trainer list (", isClassic ? "Classic" : "TBC/WotLK", "): ",
spellCount, " spells, type=", data.trainerType, spellCount, " spells, type=", data.trainerType,