New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DOS vulnerability (?) #32
Comments
Let me get back to you on this. I'll prioritize the facebookarchive#102 issue now. |
Nope the "vulnerability" has not been completely resolved, yet. The special case as described in the referenced RakNet issue facebookarchive#102 is something I'll fix directly, since it's an obvious fix (please let me know if you'd like it being integrated immediately in the GitHub repository - otherwise I'll commit it once we added an appropriate test case to verify it's working as intended). To resolve the described vulnerability in the issue, it'll require a bit more work (incl. extending our tests which currently don't detect the vulnerability). I'll prioritize this task now as the next issue to resolve after some of the pending issues/pull requests throughout RakNet. |
Thanks. |
We just committed the obvious fix for the uint24_t max case resulting in an endless loop (available in the SVN repository and the GitHub repository). The remaining issue(s) are on the list of things to resolve for the next version. Internal case number SLNET-194 / SLNET-204. |
Just to give a quick heads up: We are now working on this issue. We made several changes to the area and are currently testing/reviewing them to ensure this completely resolves this DOS attack vector. |
We are going to release an unplanned hotfix of SLikeNet due to this exploit (SLikeNet 0.1.2) and will also provide a pull request to RakNet (for those who are staying with RakNet). We are currently targeting a release on 2018-05-06. If you need an urgent fix, feel free to contact us by mail at support@slikesoft.com. This exploit has the following CVSS score: Since SLikeNet/RakNet are libraries, there's no CVSS environmental score (since that score heavily depends on how/where the library is utilized). |
SLikeNet 0.1.2 which resolves the issues (SLNET-194, SLNET-204) is available now at https://www.slikenet.com/ or here on GitHub at https://github.com/SLikeSoft/SLikeNet/releases/v.0.1.2 . |
Hello.
In 2014 @8artek0v0 reported a DOS vulnerability to the RakNet developer(s), which was supposed to be fixed in facebookarchive@e97c4bb. However, it wasn't fixed completely, as described here: facebookarchive#102
Is this vulnerability somehow addressed in SLikeNet?
The text was updated successfully, but these errors were encountered: