phaneron/Kelsidavis-WoWee
1
0
Fork 0
mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-04-17 17:43:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Cap spell cooldown entries in SpellCooldownParser

Browse source 
SMSG_SPELL_COOLDOWN (3.3.5a) improvements:
- Validate 9-byte minimum for guid + flags
- Cap cooldown entries to 512 (each entry is 8 bytes: spellId + ms)
- Prevent unbounded memory allocation from malformed packets
- Log warning when cap is reached with remaining data ignored

Prevents DoS from servers sending malformed cooldown lists.
This commit is contained in:
Kelsi 2026-03-11 14:33:02 -07:00
parent 1d4f69add3
commit efc394ce9e
1 changed files with 13 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

14
src/game/world_packets.cpp
View file

@ -3437,13 +3437,25 @@ bool AuraUpdateParser::parse(network::Packet& packet, AuraUpdateData& data, bool
} }
bool SpellCooldownParser::parse(network::Packet& packet, SpellCooldownData& data) { bool SpellCooldownParser::parse(network::Packet& packet, SpellCooldownData& data) {
// Upfront validation: guid(8) + flags(1) = 9 bytes minimum
if (packet.getSize() - packet.getReadPos() < 9) return false;
data.guid = packet.readUInt64(); data.guid = packet.readUInt64();
data.flags = packet.readUInt8(); data.flags = packet.readUInt8();
while (packet.getReadPos() + 8 <= packet.getSize()) { // Cap cooldown entries to prevent unbounded memory allocation (each entry is 8 bytes)
uint32_t maxCooldowns = 512;
uint32_t cooldownCount = 0;
while (packet.getReadPos() + 8 <= packet.getSize() && cooldownCount < maxCooldowns) {
uint32_t spellId = packet.readUInt32(); uint32_t spellId = packet.readUInt32();
uint32_t cooldownMs = packet.readUInt32(); uint32_t cooldownMs = packet.readUInt32();
data.cooldowns.push_back({spellId, cooldownMs}); data.cooldowns.push_back({spellId, cooldownMs});
cooldownCount++;
}
if (cooldownCount >= maxCooldowns && packet.getReadPos() + 8 <= packet.getSize()) {
LOG_WARNING("Spell cooldowns: capped at ", maxCooldowns, " entries, remaining data ignored");
} }
LOG_DEBUG("Spell cooldowns: ", data.cooldowns.size(), " entries"); LOG_DEBUG("Spell cooldowns: ", data.cooldowns.size(), " entries");