Buffer overflow in ProcessSocketCmd()

OutCast

Couldn’t find any topic describing this, so i made new one.

Here it goes, buffer overrun:```
wchar_t wszPass[256];
if(wscCmd.length() >= sizeof(wszPass)) //<<<
{
sc->csock.Print(L"ERR Wrong password\n");
return false;
}
swscanf(wscCmd.c_str(), L"pass %s", wszPass);

I didn't check this for any security vulnerabilities, but it's very simple way to crush server through this bug.

I didn't test solution yet, but i think that this will work:```
if(wscCmd.length()*2 >= sizeof(wszPass))
{
	<...>
}

w0dk4

I found this out the hard way since someone was crashing our server with this exploit.

Your fix should work though. At one point I tried it with wscCmd.size() but that does not return the size in bytes… I ended up comparing wscCmd.length() with 256

I will include this and some other crucial bugfixes in the FLHook Plugin version.

JONG

So I can use OutCast’s code to fix flhook code right now ? or something I need to change too ?

OutCast

@JONG:

So I can use OutCast’s code to fix flhook code right now ?

Yes, i tested it, and it worked fine.

JONG

Thanks OutCast, now I can fix it.