In the function SV_SteamAuthClient
, the length of the
user's authBlob
is not checked to be smaller than the
allocated buffer on the stack before the call to MSG_ReadData
.
Overflowing the buffer using a modified steamAuth
packet
enables arbitrary code execution.