From 91b01c2fcc9ee3592d78de67e681e1ff2ca08275 Mon Sep 17 00:00:00 2001 From: KimLS Date: Sat, 15 Jun 2013 13:08:32 -0700 Subject: [PATCH] Image fix for OP_CastSpell exploit. --- changelog.txt | 3 +++ zone/client_packet.cpp | 37 +++++++------------------------------ 2 files changed, 10 insertions(+), 30 deletions(-) diff --git a/changelog.txt b/changelog.txt index de3743f64..73b908466 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,5 +1,8 @@ EQEMu Changelog (Started on Sept 24, 2003 15:50) ------------------------------------------------------- +== 06/15/2013 == +KLS: (image) Potentially could bypass some spell checks by passing a specially crafted spell slot. This has been addressed. + == 06/12/2013 == KLS: Merge Hateborne's hp cap stuff KLS: We haven't updated changelog in a while but there's been: diff --git a/zone/client_packet.cpp b/zone/client_packet.cpp index 133f5caa6..dbfe3d0c1 100644 --- a/zone/client_packet.cpp +++ b/zone/client_packet.cpp @@ -4577,7 +4577,7 @@ void Client::Handle_OP_CastSpell(const EQApplicationPacket *app) LogFile->write(EQEMuLog::Debug, "cs_unknown2: 16 %p %u %u", &castspell->cs_unknown, *(uint16*) castspell->cs_unknown, *(uint16*) castspell->cs_unknown+sizeof(uint16) ); LogFile->write(EQEMuLog::Debug, "cs_unknown2: 16 %p %i %i", &castspell->cs_unknown, *(uint16*) castspell->cs_unknown, *(uint16*) castspell->cs_unknown+sizeof(uint16) ); #endif -LogFile->write(EQEMuLog::Debug, "OP CastSpell: slot=%d, spell=%d, target=%d, inv=%lx", castspell->slot, castspell->spell_id, castspell->target_id, (unsigned long)castspell->inventoryslot); + LogFile->write(EQEMuLog::Debug, "OP CastSpell: slot=%d, spell=%d, target=%d, inv=%lx", castspell->slot, castspell->spell_id, castspell->target_id, (unsigned long)castspell->inventoryslot); if ((castspell->slot == USE_ITEM_SPELL_SLOT) || (castspell->slot == POTION_BELT_SPELL_SLOT)) // this means item { @@ -4690,47 +4690,24 @@ LogFile->write(EQEMuLog::Debug, "OP CastSpell: slot=%d, spell=%d, target=%d, inv else spell_to_cast = SPELL_HARM_TOUCH2; p_timers.Start(pTimerHarmTouch, HarmTouchReuseTime); - } - - //handle disciplines, OLD, they keep changing this - if(castspell->slot == DISCIPLINE_SPELL_SLOT) { + } else if(castspell->slot == DISCIPLINE_SPELL_SLOT) { if(!UseDiscipline(castspell->spell_id, castspell->target_id)) { printf("Unknown ability being used by %s, spell being cast is: %i\n",GetName(),castspell->spell_id); InterruptSpell(castspell->spell_id); } return; - } - - if(castspell->slot < MAX_PP_MEMSPELL) - { + } else if(castspell->slot < MAX_PP_MEMSPELL) { spell_to_cast = m_pp.mem_spells[castspell->slot]; if(spell_to_cast != castspell->spell_id) { InterruptSpell(castspell->spell_id); //CHEATER!!! return; } + } else { + //If we get to here this slot should be invalid invalid + InterruptSpell(castspell->spell_id); + return; } - /* - these are coming through with slot 8 now... - else if(castspell->slot == 9) //discipline, LoH, HT, etc - { - if(GetClass() == PALADIN && castspell->spell_id == SPELL_LAY_ON_HANDS) - { - spell_to_cast = SPELL_LAY_ON_HANDS; - p_timers.Start(pTimerLayHands, LayOnHandsReuseTime); - CastSpell(spell_to_cast, castspell->target_id, castspell->slot); - } - else if(GetClass() == SHADOWKNIGHT - && (castspell->spell_id == SPELL_HARM_TOUCH || castspell->spell_id == SPELL_HARM_TOUCH2)) - { - if(GetLevel() < 40) - spell_to_cast = SPELL_HARM_TOUCH; - else - spell_to_cast = SPELL_HARM_TOUCH2; - p_timers.Start(pTimerHarmTouch, HarmTouchReuseTime); - } - else*/ - //try disciplines CastSpell(spell_to_cast, castspell->target_id, castspell->slot); }