From aa12b3b9e8cd7edd57a2602cdb24ddf6d996b2f2 Mon Sep 17 00:00:00 2001
From: Per Inge Mathisen <per@wz2100.net>
Date: Fri, 15 Feb 2008 21:31:23 +0000
Subject: [PATCH] Add several sanity checks for network packets received.

git-svn-id: svn+ssh://svn.gna.org/svn/warzone/trunk@3790 4a71c877-e1ca-e34f-864e-861f7616d084
---
 src/multiplay.c | 23 ++++++++++++++++++++++-
 src/multisync.c | 16 ++++++++++++++--
 2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/src/multiplay.c b/src/multiplay.c
index 6c72f090d..fa743fca9 100644
--- a/src/multiplay.c
+++ b/src/multiplay.c
@@ -723,6 +723,11 @@ BOOL recvMessage(void)
 				NETuint32_t(&player_id);
 				NETbool(&host);                 // Added to check for host quit here -- Buggy
 			NETend();
+			if (player_id >= MAX_PLAYERS)
+			{
+				debug(LOG_ERROR, "Bad NET_LEAVING received, player ID is %d", (int)player_id);
+				break;
+			}
 			MultiPlayerLeave(player_id);
 			if (host)                               // host has quit, need to quit too.
 			{
@@ -743,7 +748,11 @@ BOOL recvMessage(void)
 				// the player that has just responded
 				NETuint32_t(&player_id);
 			NETend();
-
+			if (player_id >= MAX_PLAYERS)
+			{
+				debug(LOG_ERROR, "Bad NET_PLAYERRESPONDING received, ID is %d", (int)player_id);
+				break;
+			}
 			// This player is now with us!
 			ingame.JoiningInProgress[player_id] = FALSE;
 			break;
@@ -848,6 +857,12 @@ static BOOL recvResearch()
 		NETuint32_t(&index);
 	NETend();
 
+	if (player >= MAX_PLAYERS || index >= numResearch)
+	{
+		debug(LOG_ERROR, "Bad NET_RESEARCH received, player is %d, index is %u", (int)player, index);
+		return FALSE;
+	}
+
 	pPlayerRes = asPlayerResList[player] + index;
 	
 	// If they have completed the research
@@ -932,6 +947,12 @@ BOOL recvResearchStatus()
 		NETuint32_t(&index);
 	NETend();
 
+	if (player >= MAX_PLAYERS || index >= numResearch)
+	{
+		debug(LOG_ERROR, "Bad NET_RESEARCHSTATUS received, player is %d, index is %u", (int)player, index);
+		return FALSE;
+	}
+
 	pPlayerRes = asPlayerResList[player] + index;
 
 	// psBuilding may be null if finishing
diff --git a/src/multisync.c b/src/multisync.c
index 01412e64b..d92bda4a4 100644
--- a/src/multisync.c
+++ b/src/multisync.c
@@ -763,7 +763,14 @@ BOOL recvStructureCheck()
 		NETuint16_t(&y);
 		NETuint16_t(&z);
 		NETfloat(&direction);
-		
+
+		if (player >= MAX_PLAYERS)
+		{
+			debug(LOG_ERROR, "Bad NET_CHECK_STRUCT received!");
+			NETend();
+			return FALSE;
+		}
+
 		// If the structure exists our job is easy
 		pS = IdToStruct(ref, player);
 		if (pS)
@@ -1042,7 +1049,6 @@ BOOL sendScoreCheck(void)
 }
 
 
-
 BOOL recvScoreSubmission()
 {
 	uint8_t		player;
@@ -1175,6 +1181,12 @@ BOOL recvPing()
 		NETbool(&isNew);
 	NETend();
 
+	if (sender >= MAX_PLAYERS)
+	{
+		debug(LOG_ERROR, "Bad NET_PING packet, sender is %d", (int)sender);
+		return FALSE;
+	}
+
 	// If this is a new ping, respond to it
 	if (isNew)
 	{