diff options
author | Johan Berntsson | 2008-01-02 16:35:50 +0000 |
---|---|---|
committer | Johan Berntsson | 2008-01-02 16:35:50 +0000 |
commit | d893c91249cbdd27d80d54cac397eac21a997ce3 (patch) | |
tree | 86f919b7b74a1380af90a2752d5d456c4fd180b1 | |
parent | Full .dll-name in config option for ScriptEngine. Loading only scriptengine s... (diff) | |
download | opensim-SC-d893c91249cbdd27d80d54cac397eac21a997ce3.zip opensim-SC-d893c91249cbdd27d80d54cac397eac21a997ce3.tar.gz opensim-SC-d893c91249cbdd27d80d54cac397eac21a997ce3.tar.bz2 opensim-SC-d893c91249cbdd27d80d54cac397eac21a997ce3.tar.xz |
Fixed buffer overrun bug in ZeroDecodeCommand
-rw-r--r-- | OpenSim/Framework/PacketPool.cs | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/OpenSim/Framework/PacketPool.cs b/OpenSim/Framework/PacketPool.cs index c65037f..744ae51 100644 --- a/OpenSim/Framework/PacketPool.cs +++ b/OpenSim/Framework/PacketPool.cs | |||
@@ -68,9 +68,30 @@ namespace OpenSim.Framework | |||
68 | return packet; | 68 | return packet; |
69 | } | 69 | } |
70 | 70 | ||
71 | // Copied from LibSL, and added a check to avoid overwriting the | ||
72 | // buffer | ||
73 | private void ZeroDecodeCommand(byte[] src, byte[] dest) | ||
74 | { | ||
75 | for (int srcPos = 6, destPos = 6; destPos < 10; ++srcPos) | ||
76 | { | ||
77 | if (src[srcPos] == 0x00) | ||
78 | { | ||
79 | for (byte j = 0; j < src[srcPos + 1] && destPos < 10; ++j) | ||
80 | { | ||
81 | dest[destPos++] = 0x00; | ||
82 | } | ||
83 | ++srcPos; | ||
84 | } | ||
85 | else | ||
86 | { | ||
87 | dest[destPos++] = src[srcPos]; | ||
88 | } | ||
89 | } | ||
90 | } | ||
91 | |||
71 | private PacketType GetType(byte[] bytes) | 92 | private PacketType GetType(byte[] bytes) |
72 | { | 93 | { |
73 | byte[] decoded_header = new byte[10+8]; | 94 | byte[] decoded_header = new byte[10]; |
74 | 95 | ||
75 | ushort id; | 96 | ushort id; |
76 | libsecondlife.PacketFrequency freq; | 97 | libsecondlife.PacketFrequency freq; |
@@ -79,7 +100,7 @@ namespace OpenSim.Framework | |||
79 | 100 | ||
80 | if((bytes[0] & libsecondlife.Helpers.MSG_ZEROCODED)!=0) | 101 | if((bytes[0] & libsecondlife.Helpers.MSG_ZEROCODED)!=0) |
81 | { | 102 | { |
82 | libsecondlife.Helpers.ZeroDecodeCommand(bytes, decoded_header); | 103 | ZeroDecodeCommand(bytes, decoded_header); |
83 | } | 104 | } |
84 | 105 | ||
85 | if (decoded_header[6] == 0xFF) | 106 | if (decoded_header[6] == 0xFF) |