phaneron/Kelsidavis-WoWee
1
0
Fork 0
mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-03-22 23:30:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

fix: clamp pointCount in handleMonsterMoveTransport to prevent DoS

Browse source 
handleMonsterMoveTransport() read a server-supplied pointCount without
any bounds check before iterating. A malformed packet with
pointCount=0xFFFFFFFF would loop billions of times. All other parsers
(MonsterMoveParser::parse, TBC parseMonsterMove) cap at 1000 or 16384.

Added kMaxTransportSplinePoints=1000 cap with a LOG_WARNING, matching
the limit used by MonsterMoveParser::parse() in world_packets.cpp.
This commit is contained in:
Kelsi 2026-03-17 22:08:25 -07:00
parent b00025918c
commit a4415eb207
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/game/game_handler.cpp
View file

@ -17663,6 +17663,12 @@ void GameHandler::handleMonsterMoveTransport(network::Packet& packet) {
if (packet.getReadPos() + 4 > packet.getSize()) return;
uint32_t pointCount = packet.readUInt32();
constexpr uint32_t kMaxTransportSplinePoints = 1000;
if (pointCount > kMaxTransportSplinePoints) {
LOG_WARNING("SMSG_MONSTER_MOVE_TRANSPORT: pointCount=", pointCount,
" clamped to ", kMaxTransportSplinePoints);
pointCount = kMaxTransportSplinePoints;
}
// Read destination point (transport-local server coords)
float destLocalX = localX, destLocalY = localY, destLocalZ = localZ;