On Fri, 2014-11-21 at 22:42 +0100, Markus Koschany wrote: > Hi, > > yesterday the developers of Teeworld announced a security > vulnerability in Teeworld's server for the complete 0.6.x series. That > means stable is also affected. > > https://www.teeworlds.com/?page=news&id=11200
This is the patch for the security issue from https://github.com/teeworlds/teeworlds/commit/a766cb44bcffcdb0b88e776d01c5ee1323d44f85 - Originally from https://github.com/heinrich5991/teeworlds/commit/51af0b8548ec4974724f24386b35db8fef242ee3 The bug seems to be that "Offset" is a remote attacker controlled variable which isn't validated properly (it could be negative). Offset is then used as an index to a memory read and the data is sent back to the attacker. James
From a766cb44bcffcdb0b88e776d01c5ee1323d44f85 Mon Sep 17 00:00:00 2001 From: oy <tom_ad...@web.de> Date: Thu, 20 Nov 2014 18:13:54 +0100 Subject: [PATCH] fixed a server crash --- src/engine/server/server.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/engine/server/server.cpp b/src/engine/server/server.cpp index 581c7e6..ab0f312 100644 --- a/src/engine/server/server.cpp +++ b/src/engine/server/server.cpp @@ -845,8 +845,8 @@ void CServer::ProcessClientPacket(CNetChunk *pPacket) return; int Chunk = Unpacker.GetInt(); - int ChunkSize = 1024-128; - int Offset = Chunk * ChunkSize; + unsigned int ChunkSize = 1024-128; + unsigned int Offset = Chunk * ChunkSize; int Last = 0; // drop faulty map data requests -- 2.1.3
