From b76d7fbb9382f077b65085e003e8a9922181e0f6 Mon Sep 17 00:00:00 2001
From: Rye Mutt <rye@alchemyviewer.org>
Date: Sun, 23 Aug 2020 19:38:00 -0400
Subject: [PATCH] Fix unaligned integer copy in net stack

---
 indra/llmessage/llpacketack.cpp | 4 +++-
 indra/llmessage/message.cpp     | 7 +++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/indra/llmessage/llpacketack.cpp b/indra/llmessage/llpacketack.cpp
index c3c022c2973..2aeb2c4187e 100644
--- a/indra/llmessage/llpacketack.cpp
+++ b/indra/llmessage/llpacketack.cpp
@@ -66,7 +66,9 @@ LLReliablePacket::LLReliablePacket(
 	}
 
 	mExpirationTime = (F64Seconds)totalTime() + mTimeout;
-	mPacketID = ntohl(*((U32*)(&buf_ptr[PHL_PACKET_ID])));
+	U32 buf_packet_id = 0U;
+	memcpy(&buf_packet_id, buf_ptr + PHL_PACKET_ID, sizeof(buf_packet_id));
+	mPacketID = ntohl(buf_packet_id);
 
 	mSocket = socket;
 	if (mRetries)
diff --git a/indra/llmessage/message.cpp b/indra/llmessage/message.cpp
index da62bb12e8a..b375b30e621 100644
--- a/indra/llmessage/message.cpp
+++ b/indra/llmessage/message.cpp
@@ -557,7 +557,9 @@ BOOL LLMessageSystem::checkMessages(LockMessageChecker&, S64 frame_count )
 
 			// process the message as normal
 			mIncomingCompressedSize = zeroCodeExpand(&buffer, &receive_size);
-			mCurrentRecvPacketID = ntohl(*((U32*)(&buffer[1])));
+			U32 cur_rec_pkt_id = 0U;
+			memcpy(&cur_rec_pkt_id, buffer + PHL_PACKET_ID, sizeof(cur_rec_pkt_id));
+			mCurrentRecvPacketID = ntohl(cur_rec_pkt_id);
 			host = getSender();
 
 			const bool resetPacketId = true;
@@ -1178,7 +1180,8 @@ S32 LLMessageSystem::sendMessage(const LLHost &host)
 	cdp->nextPacketOutID();
 
 	// Packet ID size is always 4
-	*((S32*)&mSendBuffer[PHL_PACKET_ID]) = htonl(cdp->getPacketOutID());
+	U32 packet_out_id = static_cast<U32>(htonl(cdp->getPacketOutID()));
+	memcpy(mSendBuffer + PHL_PACKET_ID, &packet_out_id, sizeof(packet_out_id));
 
 	// Compress the message, which will usually reduce its size.
 	U8 * buf_ptr = (U8 *)mSendBuffer;
-- 
GitLab