From a4415eb20770e746a0f20480ae81c87917f584ea Mon Sep 17 00:00:00 2001
From: Kelsi <kelsihates2fa@gmail.com>
Date: Tue, 17 Mar 2026 22:08:25 -0700
Subject: [PATCH] fix: clamp pointCount in handleMonsterMoveTransport to
 prevent DoS

handleMonsterMoveTransport() read a server-supplied pointCount without
any bounds check before iterating. A malformed packet with
pointCount=0xFFFFFFFF would loop billions of times. All other parsers
(MonsterMoveParser::parse, TBC parseMonsterMove) cap at 1000 or 16384.

Added kMaxTransportSplinePoints=1000 cap with a LOG_WARNING, matching
the limit used by MonsterMoveParser::parse() in world_packets.cpp.
---
 src/game/game_handler.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/game/game_handler.cpp b/src/game/game_handler.cpp
index c5fe5c5e..2eacb363 100644
--- a/src/game/game_handler.cpp
+++ b/src/game/game_handler.cpp
@@ -17663,6 +17663,12 @@ void GameHandler::handleMonsterMoveTransport(network::Packet& packet) {
 
     if (packet.getReadPos() + 4 > packet.getSize()) return;
     uint32_t pointCount = packet.readUInt32();
+    constexpr uint32_t kMaxTransportSplinePoints = 1000;
+    if (pointCount > kMaxTransportSplinePoints) {
+        LOG_WARNING("SMSG_MONSTER_MOVE_TRANSPORT: pointCount=", pointCount,
+                    " clamped to ", kMaxTransportSplinePoints);
+        pointCount = kMaxTransportSplinePoints;
+    }
 
     // Read destination point (transport-local server coords)
     float destLocalX = localX, destLocalY = localY, destLocalZ = localZ;