net: fix missing server-side num_players validation (CVE-2020-14983)

The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't validate the user-controlled num_players value, leading to a buffer overflow. A malicious user can overwrite the server's stack. Fixes CVE-2020-14983, found by Michał Dardas from LogicalTrust. Fixes: #1293.
chocolate-doom · Jun 24, 2020 · f1a8d99 · f1a8d99
1 parent 5bf73c4
commit f1a8d99
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/net_structrw.c b/src/net_structrw.c
@@ -116,7 +116,7 @@ boolean NET_ReadSettings(net_packet_t *packet, net_gamesettings_t *settings)
         return false;
     }
 
-    for (i = 0; i < settings->num_players; ++i)
+    for (i = 0; i < settings->num_players && i < NET_MAXPLAYERS; ++i)
     {
         if (!NET_ReadInt8(packet,
                           (unsigned int *) &settings->player_classes[i]))