Dupe Fix:
I'll update this if he uses any more exploits on my server.Quote:
Both of these fixes are in world server.
File: DPSrvr.cpp, Function - CDPSrvr::OnPutItemGuildBank:
Change
toCode:DWORD nItemNum;
Code:int nItemNum;
File: DPSrvr.cpp, Function - CDPSrvr::OnGetItemGuildBank:
Change
toCode:DWORD dwItemNum;
Dupe fixed.Code:int dwItemNum;
Update - Dupe explanation I posted on another forum:
Quote:
Ok... I thought this was pretty obvious but let me try to explain.
signed int32 max(int) = -2147483647 to 2147483647
unsigned int32 max(DWORD) = 0 to 4294967295
When you cast an unsigned integer to a signed integer and it exceeds the maximum range, you get an integer overflow. The value then goes negative. So, let's try the following code.
nItemNum would now be -2147483549(since it exceeded the limit).Code:DWORD dwItemNum = 2147483648; int nItemNum = (int)dwItemNum;
So lets take a look at this range check in the DPSrvr.cpp file.
Guess what this translates to if I send a packet with a value of 2147483747(100 more than the signed int32 max)?Code:if( (int)( dwItemNum ) > pItemElem->m_nItemNum ) dwItemNum = pItemElem->m_nItemNum; if( dwItemNum < 1 ) dwItemNum = 1;
It passes both checks, then we later see...Code:if( -2147483549 > pItemElem->m_nItemNum ) dwItemNum = pItemElem->m_nItemNum; if( 2147483747 < 1 ) dwItemNum = 1;
->Code:CItemElem itemElem; itemElem = *pItemElem; itemElem.m_nItemNum = (short)( dwItemNum ); itemElem.m_dwObjId = pItemElem->m_dwObjId;
Say we had a twinklestone(1x) in the guild bank and we sent a packet with the item number set to 2147483747? We now have 99 twinklestones in our inventory.Code:CItemElem itemElem; itemElem = *pItemElem; itemElem.m_nItemNum = (short)( -2147483549 ); // 99 itemElem.m_dwObjId = pItemElem->m_dwObjId;
