[Bug] A malformed packet can be used to leak old packets #5
Comments
willardf
pushed a commit
that referenced
this issue
Oct 8, 2020
|
Thanks for bringing this up, do you have any interest in reviewing this or testing it with your example or should I just merge it? |
|
I just tested the changes using my example project and that project doesn't work anymore which is a good thing. I think it can be merged. |
willardf
added a commit
that referenced
this issue
Oct 8, 2020
Test and fix bug #5: A malformed packet can be used to leak old packets
|
Great, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
MessageReader.GetSized()will return a reader without cleaning the buffer if there is a reader in the reader pool with a buffer that is big enough.MessageReader.ReadString()doesn't do any bound checks. You can supply it any packed integer and it will happily try to read up to0x7FFFFFFFbytes from the reader buffer. Any value higher than0xFFFFwill cause an exception to be thrown on servers that do not manually specify a buffer size. This issue can also be used to leak old packets. If the server echoes what it reads from the packet back to the client, and if the reader was recycled usingMessageReader.GetSized(), the server will send the data of an old packet (probably from a different client) to the client.Example client code that exploits this and example vulnerable server
The text was updated successfully, but these errors were encountered: