From 48cc526c7e562c2d24131a173f8159e525f20eb0 Mon Sep 17 00:00:00 2001 From: Alibek Omarov Date: Sun, 15 Dec 2024 18:22:40 +0300 Subject: [PATCH] engine: client: fix possible svc_pings misparse by reading until null bit is encountered --- engine/client/cl_parse.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/engine/client/cl_parse.c b/engine/client/cl_parse.c index 335f120994..715106d9ee 100644 --- a/engine/client/cl_parse.c +++ b/engine/client/cl_parse.c @@ -1593,17 +1593,23 @@ collect pings and packet lossage from clients */ void CL_UpdateUserPings( sizebuf_t *msg ) { - int i, slot; - player_info_t *player; - - for( i = 0; i < MAX_CLIENTS; i++ ) + // a1ba: there was a MAX_PLAYERS check but it doesn't make sense + // because pings message always ends by null bit + while( 1 ) { - if( !MSG_ReadOneBit( msg )) break; // end of message + int slot; + player_info_t *player; + + if( !MSG_ReadOneBit( msg )) + break; // end of message slot = MSG_ReadUBitLong( msg, MAX_CLIENT_BITS ); - if( slot >= MAX_CLIENTS ) + if( unlikely( slot >= MAX_CLIENTS )) + { Host_Error( "%s: svc_pings > MAX_CLIENTS\n", __func__ ); + return; + } player = &cl.players[slot]; player->ping = MSG_ReadUBitLong( msg, 12 );