don't let clients kill server with bogus cursor_entitynumber values

author havoc <havoc@d7cf8633-e32d-0410-b094-e92efae38249>

Fri, 3 Dec 2004 05:03:12 +0000 (05:03 +0000)

committer havoc <havoc@d7cf8633-e32d-0410-b094-e92efae38249>

Fri, 3 Dec 2004 05:03:12 +0000 (05:03 +0000)
author havoc <havoc@d7cf8633-e32d-0410-b094-e92efae38249>
Fri, 3 Dec 2004 05:03:12 +0000 (05:03 +0000)
committer havoc <havoc@d7cf8633-e32d-0410-b094-e92efae38249>
Fri, 3 Dec 2004 05:03:12 +0000 (05:03 +0000)
diff --git a/sv_user.c b/sv_user.c

index 63c54c69ca8409d830af0d3594f3513b36963bcc..b870bf596646f287a904fcbd4d03552fd76b66a3 100644 (file)
--- a/sv_user.c
+++ b/sv_user.c
@@ -688,7 +688,12 @@ void SV_ReadClientMove (usercmd_t *move)
                 move->cursor_impact[0] = MSG_ReadFloat();
                 move->cursor_impact[1] = MSG_ReadFloat();
                 move->cursor_impact[2] = MSG_ReadFloat();
-               move->cursor_entitynumber = MSG_ReadShort();
+               move->cursor_entitynumber = (unsigned short)MSG_ReadShort();
+               if (move->cursor_entitynumber >= sv.max_edicts)
+               {
+                       Con_DPrintf("SV_ReadClientMessage: client send bad cursor_entitynumber\n");
+                       move->cursor_entitynumber = 0;
+               }
                 // as requested by FrikaC, cursor_trace_ent is reset to world if the
                 // entity is free at time of receipt
                 if (EDICT_NUM(move->cursor_entitynumber)->e->free)
author	havoc <havoc@d7cf8633-e32d-0410-b094-e92efae38249>
	Fri, 3 Dec 2004 05:03:12 +0000 (05:03 +0000)
committer	havoc <havoc@d7cf8633-e32d-0410-b094-e92efae38249>
	Fri, 3 Dec 2004 05:03:12 +0000 (05:03 +0000)