[Crash] Unchecked userData.loadout.* accesses in saveEquip handler #65
Description
Summary
Services server crashes when userData.loadout nested properties are undefined in saveEquip handler.
Affected Code
server-services/start-services.js:595-627 (10+ property accesses)
userData.loadout.classIdx = Math.clamp(Math.floor(msg.class_idx), 0, CharClass.length - 1);
userData.loadout.primaryId[0] = msg.soldier_primary_item_id; // CRASH if primaryId undefined
userData.loadout.secondaryId[0] = msg.soldier_secondary_item_id; // CRASH if secondaryId undefined
userData.loadout.primaryId[1] = msg.scrambler_primary_item_id;
userData.loadout.secondaryId[1] = msg.scrambler_secondary_item_id;
userData.loadout.primaryId[2] = msg.ranger_primary_item_id;
userData.loadout.secondaryId[2] = msg.ranger_secondary_item_id;
userData.loadout.primaryId[3] = msg.eggsploder_primary_item_id;
userData.loadout.secondaryId[3] = msg.eggsploder_secondary_item_id;
userData.loadout.hatId = msg.hat_id; // CRASH if loadout undefined
userData.loadout.stampId = msg.stamp_id; // CRASH if loadout undefined
userData.loadout.colorIdx = Math.clamp(...); // CRASH if loadout undefinedVulnerability
If database returns corrupted userData.loadout without these fields.
Impact
- Services server crash on saveEquip
- Denial of service
Recommended Fix
if (!userData.loadout) userData.loadout = {};
if (!userData.loadout.primaryId) userData.loadout.primaryId = [];
if (!userData.loadout.secondaryId) userData.loadout.secondaryId = [];
// Then proceed with assignments