5262d1bbcc
Yesterday, when playing around with my network code, I realized there is a security issue in decode_variant, at least when decoding PoolArrays. Basically, the size of the PoolArray is encoded in a uint32_t, when decoding it, that value is cast to int when comparing if the packet is actually that size causing numbers with MSB=1 to be interpreted as negative thus always passing the check. That same value though, is used as uint32_t again to resize the output vector. For this reason, sending a malformed packet with declared type PoolByteArray and size of 2^31(+x) causes the engine to try to allocate 2+GB of pool memory, causing the engine to crash. |
||
---|---|---|
.. | ||
compression.cpp | ||
compression.h | ||
config_file.cpp | ||
config_file.h | ||
file_access_buffered.cpp | ||
file_access_buffered.h | ||
file_access_buffered_fa.h | ||
file_access_compressed.cpp | ||
file_access_compressed.h | ||
file_access_encrypted.cpp | ||
file_access_encrypted.h | ||
file_access_memory.cpp | ||
file_access_memory.h | ||
file_access_network.cpp | ||
file_access_network.h | ||
file_access_pack.cpp | ||
file_access_pack.h | ||
file_access_zip.cpp | ||
file_access_zip.h | ||
http_client.cpp | ||
http_client.h | ||
image_loader.cpp | ||
image_loader.h | ||
ip.cpp | ||
ip.h | ||
ip_address.cpp | ||
ip_address.h | ||
json.cpp | ||
json.h | ||
logger.cpp | ||
logger.h | ||
marshalls.cpp | ||
marshalls.h | ||
networked_multiplayer_peer.cpp | ||
networked_multiplayer_peer.h | ||
packet_peer.cpp | ||
packet_peer.h | ||
packet_peer_udp.cpp | ||
packet_peer_udp.h | ||
pck_packer.cpp | ||
pck_packer.h | ||
resource_format_binary.cpp | ||
resource_format_binary.h | ||
resource_import.cpp | ||
resource_import.h | ||
resource_loader.cpp | ||
resource_loader.h | ||
resource_saver.cpp | ||
resource_saver.h | ||
SCsub | ||
stream_peer.cpp | ||
stream_peer.h | ||
stream_peer_ssl.cpp | ||
stream_peer_ssl.h | ||
stream_peer_tcp.cpp | ||
stream_peer_tcp.h | ||
tcp_server.cpp | ||
tcp_server.h | ||
translation_loader_po.cpp | ||
translation_loader_po.h | ||
xml_parser.cpp | ||
xml_parser.h | ||
zip_io.h |