… | |
… | |
1388 | sl << "replyinfo skill_info\n"; |
1388 | sl << "replyinfo skill_info\n"; |
1389 | |
1389 | |
1390 | for (int i = 1; i < NUM_SKILLS; i++) |
1390 | for (int i = 1; i < NUM_SKILLS; i++) |
1391 | sl.printf ("%d:%s\n", i + CS_STAT_SKILLINFO, &skill_names[i]); |
1391 | sl.printf ("%d:%s\n", i + CS_STAT_SKILLINFO, &skill_names[i]); |
1392 | |
1392 | |
1393 | if (sl.length () >= MAXSOCKBUF) |
1393 | if (sl.length () > MAXSOCKBUF) |
1394 | { |
1394 | { |
1395 | LOG (llevError, "Buffer overflow in send_skill_info!\n"); |
1395 | LOG (llevError, "Buffer overflow in send_skill_info!\n"); |
1396 | fatal (0); |
1396 | fatal (0); |
1397 | } |
1397 | } |
1398 | |
1398 | |
… | |
… | |
1411 | sl << "replyinfo spell_paths\n"; |
1411 | sl << "replyinfo spell_paths\n"; |
1412 | |
1412 | |
1413 | for (int i = 0; i < NRSPELLPATHS; i++) |
1413 | for (int i = 0; i < NRSPELLPATHS; i++) |
1414 | sl.printf ("%d:%s\n", 1 << i, spellpathnames[i]); |
1414 | sl.printf ("%d:%s\n", 1 << i, spellpathnames[i]); |
1415 | |
1415 | |
1416 | if (sl.length () >= MAXSOCKBUF) |
1416 | if (sl.length () > MAXSOCKBUF) |
1417 | { |
1417 | { |
1418 | LOG (llevError, "Buffer overflow in send_spell_paths!\n"); |
1418 | LOG (llevError, "Buffer overflow in send_spell_paths!\n"); |
1419 | fatal (0); |
1419 | fatal (0); |
1420 | } |
1420 | } |
1421 | |
1421 | |
… | |
… | |
1584 | /* Seeing crashes by overflowed buffers. Quick arithemetic seems |
1584 | /* Seeing crashes by overflowed buffers. Quick arithemetic seems |
1585 | * to show add_spell is 26 bytes + 2 strings. However, the overun |
1585 | * to show add_spell is 26 bytes + 2 strings. However, the overun |
1586 | * is hundreds of bytes off, so correcting 22 vs 26 doesn't seem |
1586 | * is hundreds of bytes off, so correcting 22 vs 26 doesn't seem |
1587 | * like it will fix this |
1587 | * like it will fix this |
1588 | */ |
1588 | */ |
1589 | if (sl.length () >= (MAXSOCKBUF - (26 + strlen (spell->name) + (spell->msg ? strlen (spell->msg) : 0)))) |
1589 | if (sl.length () > (MAXSOCKBUF - (26 + strlen (spell->name) + (spell->msg ? strlen (spell->msg) : 0)))) |
1590 | { |
1590 | { |
1591 | pl->ns->flush_fx (); |
1591 | pl->ns->flush_fx (); |
1592 | pl->ns->send_packet (sl); |
1592 | pl->ns->send_packet (sl); |
1593 | |
1593 | |
1594 | sl.reset (); |
1594 | sl.reset (); |
… | |
… | |
1604 | return; |
1604 | return; |
1605 | } |
1605 | } |
1606 | else |
1606 | else |
1607 | append_spell (pl, sl, spell); |
1607 | append_spell (pl, sl, spell); |
1608 | |
1608 | |
1609 | if (sl.length () >= MAXSOCKBUF) |
1609 | if (sl.length () > MAXSOCKBUF) |
1610 | { |
1610 | { |
1611 | LOG (llevError, "Buffer overflow in esrv_add_spells!\n"); |
1611 | LOG (llevError, "Buffer overflow in esrv_add_spells!\n"); |
1612 | fatal (0); |
1612 | fatal (0); |
1613 | } |
1613 | } |
1614 | |
1614 | |