diff options
| author | jackpoz <giacomopoz@gmail.com> | 2014-04-23 20:01:20 +0200 |
|---|---|---|
| committer | jackpoz <giacomopoz@gmail.com> | 2014-04-23 20:01:20 +0200 |
| commit | 6b42f99540dda13b622fe1653993e3b84709efc7 (patch) | |
| tree | f7ea263e92049efd8ae0ff256d7e5c309af59aaf | |
| parent | 698690038e7e66ab0d983ddc03c9f300dc823787 (diff) | |
Core/AuctionHouse: Fix AuctionHouse exploit
Fix an exploit in Auction House using either CheatEngine or WPE that allowed to sell more items than the Player had in inventory or to crash worldserver.
Fixes #11831
Fixes #11928
| -rw-r--r-- | src/server/game/Handlers/AuctionHouseHandler.cpp | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/src/server/game/Handlers/AuctionHouseHandler.cpp b/src/server/game/Handlers/AuctionHouseHandler.cpp index d9e4feb7f85..86fa0429cce 100644 --- a/src/server/game/Handlers/AuctionHouseHandler.cpp +++ b/src/server/game/Handlers/AuctionHouseHandler.cpp @@ -119,7 +119,9 @@ void WorldSession::HandleAuctionSellItem(WorldPacket& recvData) recvData >> itemsCount; uint64 itemGUIDs[MAX_AUCTION_ITEMS]; // 160 slot = 4x 36 slot bag + backpack 16 slot + memset(itemGUIDs, 0, sizeof(itemGUIDs)); uint32 count[MAX_AUCTION_ITEMS]; + memset(count, 0, sizeof(count)); if (itemsCount > MAX_AUCTION_ITEMS) { @@ -187,6 +189,7 @@ void WorldSession::HandleAuctionSellItem(WorldPacket& recvData) Item* items[MAX_AUCTION_ITEMS]; uint32 finalCount = 0; + uint32 itemEntry = 0; for (uint32 i = 0; i < itemsCount; ++i) { @@ -198,9 +201,12 @@ void WorldSession::HandleAuctionSellItem(WorldPacket& recvData) return; } + if (itemEntry == 0) + itemEntry = item->GetTemplate()->ItemId; + if (sAuctionMgr->GetAItem(item->GetGUIDLow()) || !item->CanBeTraded() || item->IsNotEmptyBag() || item->GetTemplate()->Flags & ITEM_PROTO_FLAG_CONJURED || item->GetUInt32Value(ITEM_FIELD_DURATION) || - item->GetCount() < count[i]) + item->GetCount() < count[i] || itemEntry != item->GetTemplate()->ItemId) { SendAuctionCommandResult(0, AUCTION_SELL_ITEM, ERR_AUCTION_DATABASE_ERROR); return; @@ -216,6 +222,19 @@ void WorldSession::HandleAuctionSellItem(WorldPacket& recvData) return; } + // check if there are 2 identical guids, in this case user is most likely cheating + for (uint32 i = 0; i < itemsCount - 1; ++i) + { + for (uint32 j = i + 1; j < itemsCount; ++j) + { + if (itemGUIDs[i] == itemGUIDs[j]) + { + SendAuctionCommandResult(0, AUCTION_SELL_ITEM, ERR_AUCTION_DATABASE_ERROR); + return; + } + } + } + for (uint32 i = 0; i < itemsCount; ++i) { Item* item = items[i]; |