Verify size of objects sent/requested (#6076)

2026-01-06 06:32:56 +01:00 · 2017-08-01 13:29:16 +02:00
parent 1fed4f0b2d
commit ee443818a8
4 changed files with 27 additions and 1 deletions
--- a/data/language/en-GB.txt
+++ b/data/language/en-GB.txt
@@ -4443,6 +4443,8 @@ STR_6131    :Object source
 STR_6132    :Ignore research status
 STR_6133    :{SMALLFONT}{BLACK}Access rides and scenery that have not yet been invented
 STR_6134    :Clear Scenery
+STR_6135    :Client sent invalid request
+STR_6136    :Server sent invalid request

 #############
 # Scenarios #
--- a/src/openrct2/localisation/string_ids.h
+++ b/src/openrct2/localisation/string_ids.h
@@ -3807,6 +3807,9 @@ enum {

    STR_SHORTCUT_CLEAR_SCENERY = 6134,

+    STR_MULTIPLAYER_CLIENT_INVALID_REQUEST = 6135,
+    STR_MULTIPLAYER_SERVER_INVALID_REQUEST = 6136,
+
    // Have to include resource strings (from scenarios and objects) for the time being now that language is partially working
    STR_COUNT = 32768
 };
--- a/src/openrct2/network/network.cpp
+++ b/src/openrct2/network/network.cpp
@@ -1659,6 +1659,13 @@ void Network::Client_Handle_OBJECTS(NetworkConnection& connection, NetworkPacket
    uint32 size;
    packet >> size;
    log_verbose("client received object list, it has %u entries", size);
+    if (size > OBJECT_ENTRY_COUNT)
+    {
+        connection.SetLastDisconnectReason(STR_MULTIPLAYER_SERVER_INVALID_REQUEST);
+        connection.Socket->Disconnect();
+        log_warning("Server sent invalid amount of objects");
+        return;
+    }
    std::vector<std::string> requested_objects;
    for (uint32 i = 0; i < size; i++)
    {
@@ -1686,6 +1693,20 @@ void Network::Server_Handle_OBJECTS(NetworkConnection& connection, NetworkPacket
 {
    uint32 size;
    packet >> size;
+    if (size > OBJECT_ENTRY_COUNT)
+    {
+        connection.SetLastDisconnectReason(STR_MULTIPLAYER_CLIENT_INVALID_REQUEST);
+        connection.Socket->Disconnect();
+        std::string playerName = "(unknown)";
+        if (connection.Player)
+        {
+            playerName = connection.Player->Name;
+        }
+        std::string text = std::string("Player ") + playerName + std::string(" requested invalid amount of objects");
+        AppendServerLog(text);
+        log_warning(text.c_str());
+        return;
+    }
    log_verbose("Client requested %u objects", size);
    IObjectRepository * repo = GetObjectRepository();
    for (uint32 i = 0; i < size; i++)
--- a/src/openrct2/scenario/scenario.h
+++ b/src/openrct2/scenario/scenario.h
@@ -99,7 +99,7 @@ typedef struct rct_s6_data {
    // packed objects

    // SC6[3]
-    rct_object_entry objects[721];
+    rct_object_entry objects[OBJECT_ENTRY_COUNT];

    // SC6[4]
    uint16 elapsed_months;