fix: security fixes (#1974)

* fix: security fixes

dont print passwords for worlds
bound strings from clients
actually enable encryption between rakpeers
dont allow underflow when reading a string

Tested that packets are encrypted
tested that models can still be built
tested that combat still works

* add check

* use c++ nullptr instead of NULL

* initialize to 0

* globalize constant (should be in a namespace at least in the future)

* Update GameMessages.cpp

* check bounds

dNet/AuthPackets.cpp

@@ -307,6 +307,6 @@ void AuthPackets::SendLoginResponse(dServer* server, const SystemAddress& sysAdd
 		bitStream.Write(LUString(username));
 		server->SendToMaster(bitStream);
 
-		LOG("Set sessionKey: %i for user %s", sessionKey, username.c_str());
+		LOG("Set session key for user %s", username.c_str());
 	}
 }

dNet/ClientPackets.cpp

@@ -11,14 +11,16 @@ ChatMessage ClientPackets::HandleChatMessage(Packet* packet) {
 	CINSTREAM_SKIP_HEADER;
 
 	ChatMessage message;
-	uint32_t messageLength;
+	int32_t messageLength{};
 
 	inStream.Read(message.chatChannel);
 	inStream.Read(message.unknown);
 	inStream.Read(messageLength);
 
-	for (uint32_t i = 0; i < (messageLength - 1); ++i) {
-		uint16_t character;
+	if (messageLength > MAX_MESSAGE_LENGTH || messageLength < 0) return message;
+
+	for (int32_t i = 0; i < (messageLength - 1); ++i) {
+		char16_t character;
 		inStream.Read(character);
 		message.message.push_back(character);
 	}

dNet/dServer.cpp

@@ -215,6 +215,8 @@ bool dServer::Startup() {
 	mPeer = RakNetworkFactory::GetRakPeerInterface();
 
 	if (!mPeer) return false;
+
+	if (mUseEncryption) mPeer->InitializeSecurity(nullptr, nullptr, nullptr, nullptr);
 	if (!mPeer->Startup(mMaxConnections, 10, &mSocketDescriptor, 1)) return false;
 
 	if (mIsInternal) {
@@ -226,7 +228,6 @@ bool dServer::Startup() {
 	}
 
 	mPeer->SetMaximumIncomingConnections(mMaxConnections);
-	if (mUseEncryption) mPeer->InitializeSecurity(NULL, NULL, NULL, NULL);
 
 	return true;
 }