New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing server-side num_players validation leading to buffer overflow #1293
Comments
The fix is pretty straightforward, but I am only going to commit it once the CVE id has been assigned. |
I'd prefer to return |
Sounds good to me. |
The current behaviour if faulty configuration is encountered is not to fix it, i.e. put the corresponding variable into its own boundaries, but to This would be another incarnation of #875, but this bug is already there. With my approach of returning |
Why wait for stuff like that and not fix it immediately if you know the solution? |
Will commit today. I want the CVE id in the commit message so it's obvious which patch needs backporting, e.g. for Linux distributions. |
And here it is: #1295 I decided to go with Michał's originally suggested fix, as this is the same approach used everywhere else in the code. For the |
I'm introducing Chocolate Doom to Gentoo Linux as a new package. Is a new release of Chocolate Doom containing this fix in the near future expected, or should I instead focus on backporting this patch for release version 3.0.0 instead? |
I for my part will backport these patches to the Debian package. |
Thanks, I'll probably pull your backport then from the Debian package when you update it and use it for the Gentoo package. |
3.0.1 is now released which includes the cherry-picked fix. Thanks to Fabian for coordinating the response here and to everyone else who helped. |
3.0.1 was not marked as a release, so Github did not send notifications. (You can see that 3.0.1 appears differently on https://github.com/chocolate-doom/chocolate-doom/releases than 3.0.0.) |
Background
Version of Chocolate Doom:
Operating System and version: Ubuntu 18.04 x86-64
Compilation:
CFLAGS="-fsanitize=address -ggdb -O0" LDFLAGS="-fsanitize=address" ./configure --prefix=
pwd/bin
Game: (Doom/Heretic/Hexen/Strife/other) FreeDM
Bug description
When the client starts the game, it sends its settings using the
NET_WriteSettings
function. The server receives and parses it in theNET_ReadSettings
function. The settings packet consist of thenum_players
integer. This value is used as an maximum value while iterating over corresponding settings and writing them to theplayer_classes
fixed sized (8 elements) array.The client can send any byte value and fill the packet with additional bytes to write outside the array and cause stack-based buffer overflow.
PoC:
Modified client's code:
When all of the clients are connected and the owner starts the game, the server crashes.
Chocolate Doom ASAN:
Chocolate Doom without asan:
Chocolate Doom without stack protection:
Crispy Doom ASAN
Fix proposition
found by Michał Dardas from LogicalTrust
The text was updated successfully, but these errors were encountered: