Fix issue with ControlBoat_Struct and OP_BoardBoat

changelog.txt

@@ -1,5 +1,8 @@
 EQEMu Changelog (Started on Sept 24, 2003 15:50)
 -------------------------------------------------------
+== 11/16/2014 ==
+demonstar55: fix size issue with ControlBoat_Struct and exploit fix in OP_BoardBoat
+
 == 11/15/2014 ==
 Uleat(Natedog): A better fix for OP_ShopPlayerBuy - doesn't cause the issues that I introduced
 

common/eq_packet_structs.h

@@ -4383,7 +4383,7 @@ typedef struct {
 struct ControlBoat_Struct {
 /*000*/	uint32	boatId;			// entitylist id of the boat
 /*004*/	bool	TakeControl;	// 01 if taking control, 00 if releasing it
-/*007*/							// no idea what these last three bytes represent
+/*007*/	char	unknown[3];		// no idea what these last three bytes represent
 };
 
 struct AugmentInfo_Struct

zone/client_packet.cpp

@@ -3842,19 +3842,23 @@ void Client::Handle_OP_BlockedBuffs(const EQApplicationPacket *app)
 
 void Client::Handle_OP_BoardBoat(const EQApplicationPacket *app)
 {
-
+	// this sends unclean mob name, so capped at 64
-	if (app->size <= 5)
+	// a_boat006
+	if (app->size <= 5 || app->size > 64) {
+		LogFile->write(EQEMuLog::Error, "Size mismatch in OP_BoardBoad. Expected greater than 5 less than 64, got %i", app->size);
+		DumpPacket(app);
 		return;
+	}
 
-	char *boatname;
+	char boatname[64];
-	boatname = new char[app->size - 3];
+	memcpy(boatname, app->pBuffer, app->size);
-	memset(boatname, 0, app->size - 3);
+	boatname[63] = '\0';
-	memcpy(boatname, app->pBuffer, app->size - 4);
 
 	Mob* boat = entity_list.GetMob(boatname);
-	if (boat)
+	if (!boat || (boat->GetRace() != CONTROLLED_BOAT && boat->GetRace() != 502))
-		this->BoatID = boat->GetID();	// set the client's BoatID to show that it's on this boat
+		return;
-	safe_delete_array(boatname);
+	BoatID = boat->GetID();	// set the client's BoatID to show that it's on this boat
+
 	return;
 }