ref: f1a8d991aa8a14afcb605cf2f65cd15fda204c56
parent: 5bf73c4864fedb6b97b27bf302435a1168ba8f4c
author: Fabian Greffrath <fabian@greffrath.com>
date: Wed Jun 24 08:45:03 EDT 2020
net: fix missing server-side num_players validation (CVE-2020-14983) The server in Chocolate Doom 3.0.0 and Crispy Doom 5.8.0 doesn't validate the user-controlled num_players value, leading to a buffer overflow. A malicious user can overwrite the server's stack. Fixes CVE-2020-14983, found by Michał Dardas from LogicalTrust. Fixes: #1293.
--- a/src/net_structrw.c
+++ b/src/net_structrw.c
@@ -116,7 +116,7 @@
return false;
}
- for (i = 0; i < settings->num_players; ++i)
+ for (i = 0; i < settings->num_players && i < NET_MAXPLAYERS; ++i)
{if (!NET_ReadInt8(packet,
(unsigned int *) &settings->player_classes[i]))