diff options
author | rubidium <rubidium@openttd.org> | 2008-04-09 14:05:50 +0000 |
---|---|---|
committer | rubidium <rubidium@openttd.org> | 2008-04-09 14:05:50 +0000 |
commit | ab7b05da505bd746f4b5c24179b27d379ade638f (patch) | |
tree | be89cec2d8d7a3c23aad474d71ecca0e128dcbe0 /src/network | |
parent | c41624bb94d97fa6393e361dbe09fca2d53f0239 (diff) | |
download | openttd-ab7b05da505bd746f4b5c24179b27d379ade638f.tar.xz |
(svn r12637) -Fix [FS#1913]: possible NULL pointer dereference when reading some NewGRF data.
Diffstat (limited to 'src/network')
-rw-r--r-- | src/network/core/config.h | 9 | ||||
-rw-r--r-- | src/network/core/udp.cpp | 3 |
2 files changed, 5 insertions, 7 deletions
diff --git a/src/network/core/config.h b/src/network/core/config.h index e261ef2f0..33e79a9a7 100644 --- a/src/network/core/config.h +++ b/src/network/core/config.h @@ -38,14 +38,9 @@ enum { /** * Maximum number of GRFs that can be sent. * This value is related to number of handles (files) OpenTTD can open. - * This is currently 64 and about 10 are currently used when OpenTTD loads - * without any NewGRFs. Therefore one can only load about 55 NewGRFs, so - * this is not a limit, but rather a way to easily check whether the limit - * imposed by the handle count is reached. Secondly it isn't possible to - * send much more GRF IDs + MD5sums in the PACKET_UDP_SERVER_RESPONSE, due - * to the limited size of UDP packets. + * This is currently 64. Two are used for configuration and sound. */ - NETWORK_MAX_GRF_COUNT = 55, + NETWORK_MAX_GRF_COUNT = 62, NETWORK_NUM_LANGUAGES = 36, ///< Number of known languages (to the network protocol) + 1 for 'any'. /** diff --git a/src/network/core/udp.cpp b/src/network/core/udp.cpp index 6c8b56a53..77a4c81ae 100644 --- a/src/network/core/udp.cpp +++ b/src/network/core/udp.cpp @@ -221,6 +221,9 @@ void NetworkUDPSocketHandler::Recv_NetworkGameInfo(Packet *p, NetworkGameInfo *i uint i; uint num_grfs = p->Recv_uint8(); + /* Broken/bad data. It cannot have that many NewGRFs. */ + if (num_grfs > NETWORK_MAX_GRF_COUNT) return; + for (i = 0; i < num_grfs; i++) { GRFConfig *c = CallocT<GRFConfig>(1); this->Recv_GRFIdentifier(p, c); |