From ce2f622ef03881e5efed3d67307fece9966c4353 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stefano=20Borz=C3=AC?= <stefanoborzi32@gmail.com>
Date: Sat, 7 Mar 2020 10:12:16 +0100
Subject: [PATCH] fix(core/packet): check malformed guild packet to prevent
 client crash (#2739)

* Update AuctionHouseHandler.cpp

* fix(core/packet): prevent crash for malformed guild message

* fix(lint): fix codacy warnings
---
 src/server/game/Handlers/GuildHandler.cpp | 64 +++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/src/server/game/Handlers/GuildHandler.cpp b/src/server/game/Handlers/GuildHandler.cpp
index 265636e2e..8863d3673 100644
--- a/src/server/game/Handlers/GuildHandler.cpp
+++ b/src/server/game/Handlers/GuildHandler.cpp
@@ -16,6 +16,11 @@
 #include "GossipDef.h"
 #include "SocialMgr.h"
 
+// Cleanup bad characters
+void cleanStr(std::string &str) {
+    str.erase(remove(str.begin(), str.end(), '|'), str.end());
+}
+
 void WorldSession::HandleGuildQueryOpcode(WorldPacket& recvPacket)
 {
     uint32 guildId;
@@ -180,6 +185,13 @@ void WorldSession::HandleGuildMOTDOpcode(WorldPacket& recvPacket)
     sLog->outDebug(LOG_FILTER_GUILD, "CMSG_GUILD_MOTD [%s]: MOTD: %s", GetPlayerInfo().c_str(), motd.c_str());
 #endif
 
+    // Check for overflow
+    if (motd.length() > 128)
+        return;
+
+    // Cleanup bad characters
+    cleanStr(motd);
+
     if (Guild* guild = GetPlayer()->GetGuild())
         guild->HandleSetMOTD(this, motd);
 }
@@ -193,6 +205,14 @@ void WorldSession::HandleGuildSetPublicNoteOpcode(WorldPacket& recvPacket)
 #if defined(ENABLE_EXTRAS) && defined(ENABLE_EXTRA_LOGS)
     sLog->outDebug(LOG_FILTER_GUILD, "CMSG_GUILD_SET_PUBLIC_NOTE [%s]: Target: %s, Note: %s", GetPlayerInfo().c_str(), playerName.c_str(), note.c_str());
 #endif
+
+    // Check for overflow
+    if (note.length() > 31)
+        return;
+
+    // Cleanup bad characters
+    cleanStr(note);
+
     if (normalizePlayerName(playerName))
         if (Guild* guild = GetPlayer()->GetGuild())
             guild->HandleSetMemberNote(this, playerName, note, true);
@@ -208,6 +228,14 @@ void WorldSession::HandleGuildSetOfficerNoteOpcode(WorldPacket& recvPacket)
     sLog->outDebug(LOG_FILTER_GUILD, "CMSG_GUILD_SET_OFFICER_NOTE [%s]: Target: %s, Note: %s",
          GetPlayerInfo().c_str(), playerName.c_str(), note.c_str());
 #endif
+
+    // Check for overflow
+    if (note.length() > 31)
+        return;
+
+    // Cleanup bad characters
+    cleanStr(note);
+
     if (normalizePlayerName(playerName))
         if (Guild* guild = GetPlayer()->GetGuild())
             guild->HandleSetMemberNote(this, playerName, note, false);
@@ -238,6 +266,13 @@ void WorldSession::HandleGuildRankOpcode(WorldPacket& recvPacket)
         return;
     }
 
+    // Check for overflow
+    if (rankName.length() > 15)
+        return;
+
+    // Cleanup bad characters
+    cleanStr(rankName);
+
     GuildBankRightsAndSlotsVec rightsAndSlots(GUILD_BANK_MAX_TABS);
 
     for (uint8 tabId = 0; tabId < GUILD_BANK_MAX_TABS; ++tabId)
@@ -263,6 +298,13 @@ void WorldSession::HandleGuildAddRankOpcode(WorldPacket& recvPacket)
     sLog->outDebug(LOG_FILTER_GUILD, "CMSG_GUILD_ADD_RANK [%s]: Rank: %s", GetPlayerInfo().c_str(), rankName.c_str());
 #endif
 
+    // Check for overflow
+    if (rankName.length() > 15)
+        return;
+
+    // Cleanup bad characters
+    cleanStr(rankName);
+
     if (Guild* guild = GetPlayer()->GetGuild())
         guild->HandleAddNewRank(this, rankName);
 }
@@ -286,6 +328,13 @@ void WorldSession::HandleGuildChangeInfoTextOpcode(WorldPacket& recvPacket)
     sLog->outDebug(LOG_FILTER_GUILD, "CMSG_GUILD_INFO_TEXT [%s]: %s", GetPlayerInfo().c_str(), info.c_str());
 #endif
 
+    // Check for overflow
+    if (info.length() > 500)
+        return;
+
+    // Cleanup bad characters
+    cleanStr(info);
+
     if (Guild* guild = GetPlayer()->GetGuild())
         guild->HandleSetInfo(this, info);
 }
@@ -532,6 +581,14 @@ void WorldSession::HandleGuildBankUpdateTab(WorldPacket& recvData)
     sLog->outDebug(LOG_FILTER_GUILD, "CMSG_GUILD_BANK_UPDATE_TAB [%s]: Go: [" UI64FMTD "], TabId: %u, Name: %s, Icon: %s"
         , GetPlayerInfo().c_str(), guid, tabId, name.c_str(), icon.c_str());
 #endif
+
+    // Check for overflow
+    if (name.length() > 16 || icon.length() > 128)
+        return;
+
+    // Cleanup bad characters
+    cleanStr(name);
+
     if (!name.empty() && !icon.empty())
         if (GetPlayer()->GetGameObjectIfCanInteractWith(guid, GAMEOBJECT_TYPE_GUILD_BANK))
             if (Guild* guild = GetPlayer()->GetGuild())
@@ -574,6 +631,13 @@ void WorldSession::HandleSetGuildBankTabText(WorldPacket &recvData)
     sLog->outDebug(LOG_FILTER_GUILD, "CMSG_SET_GUILD_BANK_TEXT [%s]: TabId: %u, Text: %s", GetPlayerInfo().c_str(), tabId, text.c_str());
 #endif
 
+    // Check for overflow
+    if (text.length() > 500)
+        return;
+
+    // Cleanup bad characters
+    cleanStr(text);
+
     if (Guild* guild = GetPlayer()->GetGuild())
         guild->SetBankTabText(tabId, text);
 }