Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

possible out-of-bounds read in _network_company_states #3755

Closed
DorpsGek opened this issue Apr 11, 2010 · 4 comments
Closed

possible out-of-bounds read in _network_company_states #3755

DorpsGek opened this issue Apr 11, 2010 · 4 comments
Labels
flyspray This issue is imported from FlySpray (https://bugs.openttd.org/)

Comments

@DorpsGek
Copy link
Member

SmatZ opened the ticket and wrote:

As Yexo pointed out, there are several places where
_network_company_states[ci->client_playas]
is accessed without checking for COMPANY_SPECTATOR first.

I wasn't able to crash the server this way, nor trigger a valgrind warning, but all these places should be checked with special care to invalid/unexpected packets (PACKET_CLIENT_SET_PASSWORD, PACKET_CLIENT_PASSWORD from spectators)

Reported version: 1.0.0
Operating system: All

This issue was imported from FlySpray: https://bugs.openttd.org/task/3755
@DorpsGek
Copy link
Member Author

SmatZ wrote:

It seems there is only one problem. The easy way to crash the server was fixed by r19607.
Still, there is invalid read when a client is moved to spectators while connecting.

That is:
client wants to join passworded company
when he is typing the password, server uses "move client 255"
when client sends the packet with password, server does invalid read

attached patch fixes the invalid read, but when client connects, he joins wrong company (and is later kicked because there is a desync between server- and client-side 'client_playas')

Attachments

This comment was imported from FlySpray: https://bugs.openttd.org/task/3755#comment7844

@DorpsGek
Copy link
Member Author

SmatZ wrote:

The problem is in network_client.cpp, DEF_CLIENT_RECEIVE_COMMAND(PACKET_SERVER_MOVE):

NetworkClientInfo *ci = NetworkFindClientInfoFromClientID(client_id);
returns NULL even for client_id == local client

This comment was imported from FlySpray: https://bugs.openttd.org/task/3755#comment7845

@DorpsGek
Copy link
Member Author

SmatZ wrote:

The harder way is fixed in r19613. Let's wait with closing this bug, so it stays privated.

This comment was imported from FlySpray: https://bugs.openttd.org/task/3755#comment7847

@DorpsGek
Copy link
Member Author

SmatZ closed the ticket.

Reason for closing: Fixed

In r19607 and r19613. Needs backporting to 1.0.

This comment was imported from FlySpray: https://bugs.openttd.org/task/3755

@DorpsGek DorpsGek added Core flyspray This issue is imported from FlySpray (https://bugs.openttd.org/) labels Apr 7, 2018
@DorpsGek DorpsGek mentioned this issue Apr 7, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
flyspray This issue is imported from FlySpray (https://bugs.openttd.org/)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DorpsGek