Hey,
I want to report a security bug I have found in Warzone 2.0.3 and latest
SVN version:
recvTextMessage is the function used by the server for handling the
text messages sent by the clients.
This function uses the msg buffer, which has a size of 256
(MAX_CONSOLE_STRING_LENGTH) bytes, for containing the entire message to
send to all the other clients using the following format:
players_name : message
The size of the data block can be max 8000 (MaxMsgSize) bytes so an
attacker can causes a buffer-overflow for crashing the server or
executing malicious code.
>From multiplay.c:
BOOL recvTextMessage(NETMSG *pMsg)
{
DPID dpid;
UDWORD i;
STRING msg[MAX_CONSOLE_STRING_LENGTH];
NetGet(pMsg,0,dpid);
for(i = 0; NetPlay.players[i].dpid != dpid; i++);
//findplayer
strcpy(msg,NetPlay.players[i].name);
// name
strcat(msg," : ");
// seperator
strcat(msg, &(pMsg->body[4]));
// add message
addConsoleMessage((char *)&msg,DEFAULT_JUSTIFY);// display it.
...
For testing the bug it's enough to modify sendTextMessage using a message
of more than 256 bytes.
BYEZ
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
_______________________________________________
Warzone-dev mailing list
[email protected]
https://mail.gna.org/listinfo/warzone-dev
