Add packet size validation to SMSG_CREATURE_QUERY_RESPONSE parsing

Improve robustness of creature query response parsing by adding defensive size checks to both WotLK/TBC and Classic variants: - WotLK/TBC (world_packets.cpp): Add upfront validation for entry field, validate minimum size (16 bytes) before reading fixed fields (typeFlags, creatureType, family, rank), graceful truncation handling - Classic (packet_parsers_classic.cpp): Add upfront entry validation, enhance existing truncation check with default field initialization, improve logging consistency - Both variants now initialize fields to 0 on truncation and log warnings with entry context Part of ongoing Tier 2 work to improve multi-expansion packet parsing robustness against malformed or truncated server packets.
2026-03-24 16:10:14 +00:00 · 2026-03-11 14:19:58 -07:00 · 2026-03-11 14:19:58 -07:00 · 2f1b142e14
commit 2f1b142e14
parent e464300346
2 changed files with 31 additions and 3 deletions
--- a/src/game/world_packets.cpp
+++ b/src/game/world_packets.cpp
@ -2295,6 +2295,12 @@ network::Packet CreatureQueryPacket::build(uint32_t entry, uint64_t guid) {
 }

 bool CreatureQueryResponseParser::parse(network::Packet& packet, CreatureQueryResponseData& data) {
+    // Validate minimum packet size: entry(4)
+    if (packet.getSize() < 4) {
+        LOG_ERROR("SMSG_CREATURE_QUERY_RESPONSE: packet too small (", packet.getSize(), " bytes)");
+        return false;
+    }
+
    data.entry = packet.readUInt32();

    // High bit set means creature not found
@ -2312,6 +2318,18 @@ bool CreatureQueryResponseParser::parse(network::Packet& packet, CreatureQueryRe
    packet.readString(); // name4
    data.subName = packet.readString();
    data.iconName = packet.readString();
+
+    // WotLK: 4 fixed fields after iconName (typeFlags, creatureType, family, rank)
+    // Validate minimum size for these fields: 4×4 = 16 bytes
+    if (packet.getSize() - packet.getReadPos() < 16) {
+        LOG_WARNING("SMSG_CREATURE_QUERY_RESPONSE: truncated before typeFlags (entry=", data.entry, ")");
+        data.typeFlags = 0;
+        data.creatureType = 0;
+        data.family = 0;
+        data.rank = 0;
+        return true;  // Have name/sub/icon; base fields are important but optional
+    }
+
    data.typeFlags = packet.readUInt32();
    data.creatureType = packet.readUInt32();
    data.family = packet.readUInt32();