summaryrefslogtreecommitdiff
path: root/src/network
diff options
context:
space:
mode:
authorrubidium <rubidium@openttd.org>2008-04-09 14:05:50 +0000
committerrubidium <rubidium@openttd.org>2008-04-09 14:05:50 +0000
commitab7b05da505bd746f4b5c24179b27d379ade638f (patch)
treebe89cec2d8d7a3c23aad474d71ecca0e128dcbe0 /src/network
parentc41624bb94d97fa6393e361dbe09fca2d53f0239 (diff)
downloadopenttd-ab7b05da505bd746f4b5c24179b27d379ade638f.tar.xz
(svn r12637) -Fix [FS#1913]: possible NULL pointer dereference when reading some NewGRF data.
Diffstat (limited to 'src/network')
-rw-r--r--src/network/core/config.h9
-rw-r--r--src/network/core/udp.cpp3
2 files changed, 5 insertions, 7 deletions
diff --git a/src/network/core/config.h b/src/network/core/config.h
index e261ef2f0..33e79a9a7 100644
--- a/src/network/core/config.h
+++ b/src/network/core/config.h
@@ -38,14 +38,9 @@ enum {
/**
* Maximum number of GRFs that can be sent.
* This value is related to number of handles (files) OpenTTD can open.
- * This is currently 64 and about 10 are currently used when OpenTTD loads
- * without any NewGRFs. Therefore one can only load about 55 NewGRFs, so
- * this is not a limit, but rather a way to easily check whether the limit
- * imposed by the handle count is reached. Secondly it isn't possible to
- * send much more GRF IDs + MD5sums in the PACKET_UDP_SERVER_RESPONSE, due
- * to the limited size of UDP packets.
+ * This is currently 64. Two are used for configuration and sound.
*/
- NETWORK_MAX_GRF_COUNT = 55,
+ NETWORK_MAX_GRF_COUNT = 62,
NETWORK_NUM_LANGUAGES = 36, ///< Number of known languages (to the network protocol) + 1 for 'any'.
/**
diff --git a/src/network/core/udp.cpp b/src/network/core/udp.cpp
index 6c8b56a53..77a4c81ae 100644
--- a/src/network/core/udp.cpp
+++ b/src/network/core/udp.cpp
@@ -221,6 +221,9 @@ void NetworkUDPSocketHandler::Recv_NetworkGameInfo(Packet *p, NetworkGameInfo *i
uint i;
uint num_grfs = p->Recv_uint8();
+ /* Broken/bad data. It cannot have that many NewGRFs. */
+ if (num_grfs > NETWORK_MAX_GRF_COUNT) return;
+
for (i = 0; i < num_grfs; i++) {
GRFConfig *c = CallocT<GRFConfig>(1);
this->Recv_GRFIdentifier(p, c);