From cd23dd64bfb38532afe737bdf2cc5895c5828b0f Mon Sep 17 00:00:00 2001 From: rubidium Date: Wed, 9 Apr 2008 14:05:50 +0000 Subject: (svn r12637) -Fix [FS#1913]: possible NULL pointer dereference when reading some NewGRF data. --- src/network/core/config.h | 9 ++------- src/network/core/udp.cpp | 3 +++ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/src/network/core/config.h b/src/network/core/config.h index e261ef2f0..33e79a9a7 100644 --- a/src/network/core/config.h +++ b/src/network/core/config.h @@ -38,14 +38,9 @@ enum { /** * Maximum number of GRFs that can be sent. * This value is related to number of handles (files) OpenTTD can open. - * This is currently 64 and about 10 are currently used when OpenTTD loads - * without any NewGRFs. Therefore one can only load about 55 NewGRFs, so - * this is not a limit, but rather a way to easily check whether the limit - * imposed by the handle count is reached. Secondly it isn't possible to - * send much more GRF IDs + MD5sums in the PACKET_UDP_SERVER_RESPONSE, due - * to the limited size of UDP packets. + * This is currently 64. Two are used for configuration and sound. */ - NETWORK_MAX_GRF_COUNT = 55, + NETWORK_MAX_GRF_COUNT = 62, NETWORK_NUM_LANGUAGES = 36, ///< Number of known languages (to the network protocol) + 1 for 'any'. /** diff --git a/src/network/core/udp.cpp b/src/network/core/udp.cpp index 6c8b56a53..77a4c81ae 100644 --- a/src/network/core/udp.cpp +++ b/src/network/core/udp.cpp @@ -221,6 +221,9 @@ void NetworkUDPSocketHandler::Recv_NetworkGameInfo(Packet *p, NetworkGameInfo *i uint i; uint num_grfs = p->Recv_uint8(); + /* Broken/bad data. It cannot have that many NewGRFs. */ + if (num_grfs > NETWORK_MAX_GRF_COUNT) return; + for (i = 0; i < num_grfs; i++) { GRFConfig *c = CallocT(1); this->Recv_GRFIdentifier(p, c); -- cgit v1.2.3-70-g09d2