skill_select_menu unchecked input out of bounds crash
skill_select_menu unchecked input out of bounds crash
Warning! This is the old Hercules bugtracker archive, and may not reflect the current state of Hercules. The current bugtracker is on GitHub Issues.
Issue information
Issue ID
#6830
Status
Fixed
Severity
Critical
Started
Hercules Elf Bot
Oct 29, 2012 17:42
Last Post
Hercules Elf Bot
Oct 31, 2012 2:10
Confirmation
N/A
Hercules Elf Bot - Oct 29, 2012 17:42
Originally posted by [b]theultramage[/b] Hello, clif_parse_SkillSelectMenu() calls skill_select_menu(sd,RFIFOL(fd,2),RFIFOW(fd,6)) which does id = sd->status.skill[skill_id].id). Here skill_id is a value controlled by the client, but it's not checked anywhere and just directly used as an array offset. This leads to a trivially exploitable out of bounds crash.
In this specific case, the client sent [ header = 0x443, flag = 2, skill_id = 50424 (0xc4f8)]. Client is 2011-12-28ragRE and I don't know if this is a special packet or a spoofed one. According to zone type info, the only valid vlaues for 'flag' is 0 and 1.
Hercules Elf Bot - Oct 31, 2012 2:09
Originally posted by [b]Ind[/b] Thank you very much. Fixed in [rev=16848]. ( Merely changed the order; should it be within bounds for GS_GLITTERING, skill_get_type will trigger skill_chk which will rule out any invalid ids )
This post has been edited by
Ind
on Oct 31, 2012 2:19
Hercules Elf Bot - Oct 31, 2012 2:10
Originally posted by [b]Ind[/b] eh I got carried away with the crash and forgot about the flag D: ... shame on me. we currently do not rely on that information however perhaps should just document the flag field in clif_parse_SkillSelectMenu and remove it
This post has been edited by
Ind
on Oct 31, 2012 2:11