* Exploit prevention in clif_parse_NpcStringInput

git-svn-id: https://svn.code.sf.net/p/rathena/svn/trunk@6670 54d463be-8e91-2dee-dedb-b68131a5f0ec

Changelog-Trunk.txt

@@ -4,6 +4,7 @@ AS OF SVN REV. 5091, WE ARE NOW USING TRUNK.  ALL UNTESTED BUGFIXES/FEATURES GO
 IF YOU HAVE A WORKING AND TESTED BUGFIX PUT IT INTO STABLE AS WELL AS TRUNK.
 
 2006/05/19
+	* Exploit prevention in clif_parse_NpcStringInput [Lance]
 	* grfio_final moved back if any of GRF overriding is enabled so servers
 	  with such configuration will not have different values after reloading. [Lance]
 	* jA1983 script.c buildin_menu fix. Thanks to End_of_exam. [Lance]

src/map/clif.c

@@ -9800,14 +9800,18 @@ void clif_parse_NpcAmountInput(int fd,struct map_session_data *sd)
  */
 void clif_parse_NpcStringInput(int fd,struct map_session_data *sd)
 {
+	unsigned short message_len = RFIFOW(fd,2)-7;
 	RFIFOHEAD(fd);
 
-	if(RFIFOW(fd,2)-7 >= sizeof(sd->npc_str)){
+	if(message_len >= sizeof(sd->npc_str)){
 		ShowWarning("clif: input string too long !\n");
-		memcpy(sd->npc_str,RFIFOP(fd,8),sizeof(sd->npc_str));
-		sd->npc_str[sizeof(sd->npc_str)-1]=0;
-	} else
-		strcpy(sd->npc_str,(char*)RFIFOP(fd,8));
+		message_len = sizeof(sd->npc_str);
+	}
+
+	// Exploit prevention if crafted packets (without null) is being sent. [Lance]
+	memcpy(sd->npc_str,RFIFOP(fd,8),message_len); 
+	sd->npc_str[message_len-1]=0;
+
 	npc_scriptcont(sd,RFIFOL(fd,4));
 }