forked from pool/prboom-plus
Jan Engelhardt
cca12e01f6
[CVE-2019-20797, boo#1171974] OBS-URL: https://build.opensuse.org/package/show/games/prboom-plus?expand=0&rev=34
75 lines
2.9 KiB
Diff
75 lines
2.9 KiB
Diff
From 1a081d10e6c71a5b5b2db76081227677f06b47b3 Mon Sep 17 00:00:00 2001
|
|
From: Fabian Greffrath <fabian@greffrath.com>
|
|
Date: Mon, 1 Jun 2020 09:53:23 +0200
|
|
Subject: [PATCH] fix heap buffer overflows in UDP code (CVE-2019-20797) (#85)
|
|
Origin: https://github.com/coelckers/prboom-plus
|
|
|
|
* fix heap buffer overflows in UDP code (CVE-2019-20797)
|
|
|
|
* Limit length of buffer passed over to ChecksumPacket().
|
|
Patch taken from the OP at https://logicaltrust.net/blog/2019/10/prboom1.html
|
|
|
|
* Never send more than one second worth of tics (i.e. 35) in both the
|
|
main() routine in d_server.c and NetUpdate() in d_client.c.
|
|
This avoids overflows of the allocated UDF buffer with a fixed size
|
|
of 10000 bytes. Theoretically, up to about 35 seconds could be sent in the
|
|
client code and up to about 7 seconds in the server code, but the
|
|
network game would be unplayable with such a lag anyway.
|
|
|
|
Client code: pkt_size = 8 + 2 + X * 8 (= 9810 for X = 35*35)
|
|
Server code: pkt_size = 8 + 1 + X * (1 + 4 * (1 + 8)) (= 9074 for X = 7 * 35)
|
|
|
|
Fixes: #84
|
|
|
|
* limit number of sent tics to 128
|
|
|
|
* fix brain bug
|
|
---
|
|
src/SDL/i_network.c | 2 +-
|
|
src/d_client.c | 2 +-
|
|
src/d_server.c | 2 +-
|
|
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/SDL/i_network.c b/src/SDL/i_network.c
|
|
index 89edab78..7e02706a 100644
|
|
--- a/src/SDL/i_network.c
|
|
+++ b/src/SDL/i_network.c
|
|
@@ -240,7 +240,7 @@ size_t I_GetPacket(packet_header_t* buffer, size_t buflen)
|
|
checksum=buffer->checksum;
|
|
buffer->checksum=0;
|
|
if ( (status!=0) && (len>0)) {
|
|
- byte psum = ChecksumPacket(buffer, udp_packet->len);
|
|
+ byte psum = ChecksumPacket(buffer, len); // https://logicaltrust.net/blog/2019/10/prboom1.html
|
|
/* fprintf(stderr, "recvlen = %u, stolen = %u, csum = %u, psum = %u\n",
|
|
udp_packet->len, len, checksum, psum); */
|
|
if (psum == checksum) return len;
|
|
diff --git a/src/d_client.c b/src/d_client.c
|
|
index 7ce74d4e..054bc595 100644
|
|
--- a/src/d_client.c
|
|
+++ b/src/d_client.c
|
|
@@ -351,7 +351,7 @@ void NetUpdate(void)
|
|
int sendtics;
|
|
remotesend -= xtratics;
|
|
if (remotesend < 0) remotesend = 0;
|
|
- sendtics = maketic - remotesend;
|
|
+ sendtics = MIN(maketic - remotesend, 128); // limit number of sent tics (CVE-2019-20797)
|
|
{
|
|
size_t pkt_size = sizeof(packet_header_t) + 2 + sendtics * sizeof(ticcmd_t);
|
|
packet_header_t *packet = Z_Malloc(pkt_size, PU_STATIC, NULL);
|
|
diff --git a/src/d_server.c b/src/d_server.c
|
|
index 1269a861..39c2e3cd 100644
|
|
--- a/src/d_server.c
|
|
+++ b/src/d_server.c
|
|
@@ -682,7 +682,7 @@ int main(int argc, char** argv)
|
|
int tics;
|
|
if (lowtic <= remoteticto[i]) continue;
|
|
if ((remoteticto[i] -= xtratics) < 0) remoteticto[i] = 0;
|
|
- tics = lowtic - remoteticto[i];
|
|
+ tics = MIN(lowtic - remoteticto[i], 128); // limit number of sent tics (CVE-2019-20797)
|
|
{
|
|
byte *p;
|
|
packet = malloc(sizeof(packet_header_t) + 1 +
|
|
--
|
|
2.26.2
|
|
|