From 57a3338110978b37baab6f7c45935a1dff5db603 Mon Sep 17 00:00:00 2001 From: /dev/humancontroller Date: Mon, 14 Aug 2017 14:04:02 +0200 Subject: apply the security patch for incoming-packet VoIP-data parsing and Huffman decompression TODO: improve this description --- src/qcommon/huffman.c | 29 ++++++++++++++++++++--------- src/qcommon/msg.c | 43 ++++++++++++++++++++++++++++++++++++++----- src/qcommon/qcommon.h | 6 +++--- src/server/sv_client.c | 2 +- 4 files changed, 62 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/src/qcommon/huffman.c b/src/qcommon/huffman.c index aa8ee226..ecec416b 100644 --- a/src/qcommon/huffman.c +++ b/src/qcommon/huffman.c @@ -280,9 +280,15 @@ int Huff_Receive (node_t *node, int *ch, byte *fin) { } /* Get a symbol */ -void Huff_offsetReceive (node_t *node, int *ch, byte *fin, int *offset) { +void Huff_offsetReceive (node_t *node, int *ch, byte *fin, int *offset, int maxoffset) { bloc = *offset; while (node && node->symbol == INTERNAL_NODE) { + if (bloc >= maxoffset) { + // overflow + *ch = 0; + *offset = maxoffset + 1; + return; + } if (get_bit(fin)) { node = node->right; } else { @@ -299,11 +305,16 @@ void Huff_offsetReceive (node_t *node, int *ch, byte *fin, int *offset) { } /* Send the prefix code for this node */ -static void send(node_t *node, node_t *child, byte *fout) { +static void send(node_t *node, node_t *child, byte *fout, int maxoffset) { if (node->parent) { - send(node->parent, node, fout); + send(node->parent, node, fout, maxoffset); } if (child) { + if (bloc >= maxoffset) { + // overflow + bloc = maxoffset + 1; + return; + } if (node->right == child) { add_bit(1, fout); } else { @@ -313,22 +324,22 @@ static void send(node_t *node, node_t *child, byte *fout) { } /* Send a symbol */ -void Huff_transmit (huff_t *huff, int ch, byte *fout) { +void Huff_transmit (huff_t *huff, int ch, byte *fout, int maxoffset) { int i; if (huff->loc[ch] == NULL) { /* node_t hasn't been transmitted, send a NYT, then the symbol */ - Huff_transmit(huff, NYT, fout); + Huff_transmit(huff, NYT, fout, maxoffset); for (i = 7; i >= 0; i--) { add_bit((char)((ch >> i) & 0x1), fout); } } else { - send(huff->loc[ch], NULL, fout); + send(huff->loc[ch], NULL, fout, maxoffset); } } -void Huff_offsetTransmit (huff_t *huff, int ch, byte *fout, int *offset) { +void Huff_offsetTransmit (huff_t *huff, int ch, byte *fout, int *offset, int maxoffset) { bloc = *offset; - send(huff->loc[ch], NULL, fout); + send(huff->loc[ch], NULL, fout, maxoffset); *offset = bloc; } @@ -414,7 +425,7 @@ void Huff_Compress(msg_t *mbuf, int offset) { for (i=0; imaxsize - msg->cursize < 4 ) { - msg->overflowed = qtrue; + if ( msg->overflowed ) { return; } @@ -141,6 +139,11 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) { bits = -bits; } if (msg->oob) { + if ( msg->cursize + ( bits >> 3 ) > msg->maxsize ) { + msg->overflowed = qtrue; + return; + } + if(bits==8) { msg->data[msg->cursize] = value; @@ -169,6 +172,10 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) { if (bits&7) { int nbits; nbits = bits&7; + if ( msg->bit + nbits > msg->maxsize << 3 ) { + msg->overflowed = qtrue; + return; + } for(i=0;idata, &msg->bit); value = (value>>1); @@ -178,8 +185,12 @@ void MSG_WriteBits( msg_t *msg, int value, int bits ) { if (bits) { for(i=0;idata, &msg->bit); + Huff_offsetTransmit( &msgHuff.compressor, (value & 0xff), msg->data, &msg->bit, msg->maxsize << 3 ); value = (value>>8); + if ( msg->bit > msg->maxsize << 3 ) { + msg->overflowed = qtrue; + return; + } } } msg->cursize = (msg->bit>>3)+1; @@ -194,6 +205,11 @@ int MSG_ReadBits( msg_t *msg, int bits ) { int i, nbits; // FILE* fp; + if ( msg->readcount > msg->cursize ) { + // overflowed + return 0; + } + value = 0; if ( bits < 0 ) { @@ -204,6 +220,12 @@ int MSG_ReadBits( msg_t *msg, int bits ) { } if (msg->oob) { + if (msg->readcount + (bits>>3) > msg->cursize) { + // overflowed + msg->readcount = msg->cursize + 1; + return 0; + } + if(bits==8) { value = msg->data[msg->readcount]; @@ -231,6 +253,11 @@ int MSG_ReadBits( msg_t *msg, int bits ) { nbits = 0; if (bits&7) { nbits = bits&7; + if (msg->bit + nbits > msg->cursize << 3) { + // overflowed + msg->readcount = msg->cursize + 1; + return 0; + } for(i=0;idata, &msg->bit)<data, &msg->bit); + Huff_offsetReceive (msgHuff.decompressor.tree, &get, msg->data, &msg->bit, msg->cursize<<3); // fwrite(&get, 1, 1, fp); value |= (get<<(i+nbits)); + + if (msg->bit > msg->cursize<<3) { + // overflowed + msg->readcount = msg->cursize + 1; + return 0; + } } // fclose(fp); } diff --git a/src/qcommon/qcommon.h b/src/qcommon/qcommon.h index 5dc5ab0c..f6111c39 100644 --- a/src/qcommon/qcommon.h +++ b/src/qcommon/qcommon.h @@ -1165,9 +1165,9 @@ void Huff_Decompress(msg_t *buf, int offset); void Huff_Init(huffman_t *huff); void Huff_addRef(huff_t* huff, byte ch); int Huff_Receive (node_t *node, int *ch, byte *fin); -void Huff_transmit (huff_t *huff, int ch, byte *fout); -void Huff_offsetReceive (node_t *node, int *ch, byte *fin, int *offset); -void Huff_offsetTransmit (huff_t *huff, int ch, byte *fout, int *offset); +void Huff_transmit (huff_t *huff, int ch, byte *fout, int maxoffset); +void Huff_offsetReceive (node_t *node, int *ch, byte *fin, int *offset, int maxoffset); +void Huff_offsetTransmit (huff_t *huff, int ch, byte *fout, int *offset, int maxoffset); void Huff_putBit( int bit, byte *fout, int *offset); int Huff_getBit( byte *fout, int *offset); diff --git a/src/server/sv_client.c b/src/server/sv_client.c index 126a9d05..f3a0494f 100644 --- a/src/server/sv_client.c +++ b/src/server/sv_client.c @@ -1565,7 +1565,7 @@ void SV_UserVoip(client_t *cl, msg_t *msg, qboolean ignoreData) } packetsize = MSG_ReadShort(msg); - if (msg->readcount > msg->cursize) + if (msg->readcount + packetsize > msg->cursize) return; // short/invalid packet, bail. if (packetsize > sizeof (encoded)) { // overlarge packet? -- cgit