You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Exact OpenTTD revision I've checked this against: r27546
While reverse-engineering the content server protocol from the OpenTTD source code, I ran across two likely bugs in the code, both in src/network/network_content.cpp:
The second length assertion here assumes that a single item is either 20 or 4 bytes depending on whether an MD5 checksum is included, but this is incorrect; it's 21 or 5 bytes instead, due to the additional uint8 being written for the ContentType.
A packet begins with the packet size and a byte for the type. Then this packet adds a byte for the content type and a uint16 for the count in this packet.
This is incorrect; there's no byte for the ContentType, just a uint16 for the item count. The `p_count` calculation also appears to incorrectly assume the same non-existent byte to exist.
---
I don't speak C++ myself, so I'm unfortunately unable to contribute a patch.
About the fixes themself:
* The ci->name -> ci->version mixup is non-critical. Within ContextInfo "version" is followed by "url", which is the read just after. So the buffer overrun cannot cause any harm.
* The p_count miscomputation only affects performance.
* The assertion about cv->Length would have been backed up by later assertions in Packet methods.
joepie91 opened the ticket and wrote:
Reported version: trunk
Operating system: All
This issue was imported from FlySpray: https://bugs.openttd.org/task/6449
The text was updated successfully, but these errors were encountered: