* Added a check to WFIFOSET to detect zero-length 'sets' of packets, that could cause memory corruption (through code after WFIFOHEAD(fd,packet_len(cmd)) where the length is 0).

git-svn-id: https://svn.code.sf.net/p/rathena/svn/trunk@14995 54d463be-8e91-2dee-dedb-b68131a5f0ec

Changelog-Trunk.txt

@@ -1,5 +1,7 @@
 Date	Added
 
+2011/11/17
+	* Added a check to WFIFOSET to detect zero-length 'sets' of packets, that could cause memory corruption (through code after WFIFOHEAD(fd,packet_len(cmd)) where the length is 0). [Ai4rei]
 2011/11/16
 	* Fixed natural expiration of GM mute printing the unmute message twice (since r12169). [Ai4rei]
 2011/11/12

src/common/socket.c

@@ -647,6 +647,14 @@ int WFIFOSET(int fd, size_t len)
 		ShowFatalError("WFIFOSET: Packet 0x%x is too big. (len=%u, max=%u)\n", (*(uint16*)(s->wdata + s->wdata_size)), (unsigned int)len, 0xFFFF);
 		exit(EXIT_FAILURE);
 	}
+	else if( len == 0 )
+	{
+		// abuses the fact, that the code that did WFIFOHEAD(fd,0), already wrote
+		// the packet type into memory, even if it could have overwritten vital data
+		// this can happen when a new packet was added on map-server, but packet len table was not updated
+		ShowWarning("WFIFOSET: Attempted to send zero-length packet, most likely 0x%04x (please report this).\n", WFIFOW(fd,0));
+		return 0;
+	}
 
 	if( !s->flag.server && len > socket_max_client_packet )
 	{// see declaration of socket_max_client_packet for details