From 8f5b55c9d76617e43edf9ebea7fea680f63ac77e Mon Sep 17 00:00:00 2001 From: David Silva Date: Wed, 29 Apr 2020 05:18:11 -0400 Subject: [PATCH] fix(ChannelReadHandler): patch vuln --- .../runnables/ChannelReadHandler.java | 64 +++++++++++++------ 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/src/main/java/com/eu/habbo/threading/runnables/ChannelReadHandler.java b/src/main/java/com/eu/habbo/threading/runnables/ChannelReadHandler.java index f21cbea6..59ccd39a 100644 --- a/src/main/java/com/eu/habbo/threading/runnables/ChannelReadHandler.java +++ b/src/main/java/com/eu/habbo/threading/runnables/ChannelReadHandler.java @@ -11,6 +11,7 @@ import io.netty.channel.ChannelHandlerContext; public class ChannelReadHandler implements Runnable { private final ChannelHandlerContext ctx; private final Object msg; + //private int _header; public ChannelReadHandler(ChannelHandlerContext ctx, Object msg) { this.ctx = ctx; @@ -18,29 +19,52 @@ public class ChannelReadHandler implements Runnable { } public void run() { - ByteBuf m = (ByteBuf) this.msg; - int length = m.readInt(); - short header = m.readShort(); - GameClient client = this.ctx.channel().attr(GameClientManager.CLIENT).get(); + try { + ByteBuf m = (ByteBuf) this.msg; + int length = m.readInt(); + short header = m.readShort(); + //_header = header; + GameClient client = this.ctx.channel().attr(GameClientManager.CLIENT).get(); - if (client != null) { - int count = 0; - int timestamp = Emulator.getIntUnixTimestamp(); - if (timestamp - client.lastPacketCounterCleared > 1) { - client.incomingPacketCounter.clear(); - client.lastPacketCounterCleared = timestamp; - } else { - count = client.incomingPacketCounter.getOrDefault(header, 0); + if (m.readableBytes() + 2 < length) { + return; } - if (count <= 10) { - count++; - client.incomingPacketCounter.put((int) header, count); - ByteBuf body = Unpooled.wrappedBuffer(m.readBytes(m.readableBytes())); - Emulator.getGameServer().getPacketManager().handlePacket(client, new ClientMessage(header, body)); - body.release(); + if (client != null) { + int count = 0; + int timestamp = Emulator.getIntUnixTimestamp(); + if (timestamp - client.lastPacketCounterCleared > 1) { + client.incomingPacketCounter.clear(); + client.lastPacketCounterCleared = timestamp; + } else { + if (m.readableBytes() + 2 < length) { + m.resetReaderIndex(); + client.incomingPacketCounter.put((int) header, 0); + count = 0; + return; + } else { + count = client.incomingPacketCounter.getOrDefault(header, 0); + } + } + + if (count <= 10) { + count++; + if (m.readableBytes() + 2 < length) { + m.resetReaderIndex(); + client.incomingPacketCounter.put((int) header, 0); + count = 0; + return; + } + client.incomingPacketCounter.put((int) header, count); + ByteBuf body = Unpooled.wrappedBuffer(m.readBytes(m.readableBytes())); + Emulator.getGameServer().getPacketManager().handlePacket(client, new ClientMessage(header, body)); + body.release(); + } } + + m.release(); + } catch (Exception e) { + //System.out.println("Potential packet overflow occurring, careful! header: " + _header + e.getMessage()); } - m.release(); } -} \ No newline at end of file +}