Skip to content
This repository has been archived by the owner on Jan 13, 2022. It is now read-only.

Fix potential non-null-terminated string in Irrlicht sample (CVSS score: n/a) #130

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Luke1410
Copy link

@Luke1410 Luke1410 commented Jun 2, 2018

This is a backport of a security relevant fix for RakNet, we discovered. The issue has already been fixed in SLikeNet 0.1.0 (see https://www.slikenet.com/).
We provide this backport for people who prefer to stick with the RakNet project and also in order to easier share this fix with other RakNet forks.

We could/did not calculate a CVSS score, since such score heavily depends on how exactly the 3rd-party-library (IrrlichtEngine) handles the potentially non-null-terminated string. Note that this can also differ between different versions of the 3rd-party-library.

The security implications of the issue should be considered low. It's only an issue in the sample integration and therefore only applies to games/apps which make use of the code provided in RakNetStuff for their integration with the IrrlichtEngine. Since a non-null-terminated string however can result in out of bounds memory access, we decided to treat this issue as a potential security vulnerability.

Luke1410 added a commit to SLikeSoft/SLikeNet that referenced this pull request Mar 25, 2019
…es (primarily in IPv4 mode - #263, #265)

- always try to determine the port in SystemAddress::FromString() if a delimiter is specified (IPv6 mode - #263)
- added missing WSAStartupSingleton::AddRef() in RakNetSocket2::DomainNameToIP() (#264)
- fix inconsistent 'g' vs. 'A' check in NonNumericHostString() (fixes #262)
- replace natpunch.jenkinssoftware.com with napunch.slikesoft.com throughout the code and consistently use natpunch.slikesoft.com (instead of slikesoft.com) (#173)
- dropped left over XBOX code (facebookarchive#130)
- code style, minor tweaks, whitespaces, and TODO markers (facebookarchive#130)
Luke1410 added a commit to SLikeSoft/SLikeNet that referenced this pull request Sep 2, 2019
   - supports session based data encryption/decryption
   - support secure memory handling
- corrections related to new (experimental) Crypto::CSecureString() class (#255)
   - rewrote the implementation to use Crypto::CCryptoManager's session data encryption feature (which makes the CSecureString() class compatible with Linux and OSX)
   - changed AddChar() to return the number of written characters (useful for UTF-8-mode)
   - added missing integer overflow check
   - fixed off-by-one checks (incl. off-by-one checks in AddChar() in UTF-8 mode)
   - several compile error/warning fixes
   - added documentation
   - whitespaces
- updated changelog entries (mainly for 0.1.3) (facebookarchive#130, #220, #223, #249, #225, #226, #227, #228, #236, #238, #242, #258, #259, #261, #262, #263, #264, #265, #269)
Luke1410 added a commit to SLikeSoft/SLikeNet that referenced this pull request Sep 2, 2019
- CMake
  - renamed project name from RakNet -> SLikeNet (#222)
  - by default build the retail version now (#222)
  - changed created include directory from raknet -> slikenet (#222)
  - changed target name for non-Windows platform to libslikenet using set_target_properties(OUTPUT_NAME) (#189)
  - added version number using set_target_properties() (VERSION and SOVERSION) (#222)
  - replaced usage of direct CMAKE_CXX_FLAGS variable by using add_definitions() (#222)
  - renamed variables RAKNET_XXX -> SLIKENET_XXX (#222)
  - correct the OpenSSL include directory (#254)
  - removed obsolete HAVE_64_BIT variable (facebookarchive#130)
  - removed obsolete RAKNET_INCLUDE_DIRS variable (facebookarchive#130)
  - multiple other tweaks (facebookarchive#130, #269)
Luke1410 added a commit to SLikeSoft/SLikeNet that referenced this pull request Sep 2, 2019
Luke1410 added a commit to SLikeSoft/SLikeNet that referenced this pull request Sep 2, 2019
   - added CMake configuration and version configuration support (facebookarchive#132)
   - added slikenet.h to simplify CMake include directory detection (facebookarchive#132)
   - tweaked the way to specify the version number (facebookarchive#132)
   - use version based install directories to support installing multiple versions in parallel (#222)
   - use EXPORT handling for the CMake integration (facebookarchive#132)
   - preps for CMake >= 2.8 make use of target_include_directories() (#222)
   - minor tweaks (facebookarchive#130)
Luke1410 added a commit to SLikeSoft/SLikeNet that referenced this pull request Sep 3, 2019
…eclared external so to remove the need for including/dependent compile units to also include types.h (which is quite a burden due to the windows.h inclusion, f.e.) - facebookarchive#130

- add required OpenSSL dependency to CMake (#222)
Luke1410 added a commit to SLikeSoft/SLikeNet that referenced this pull request Sep 3, 2019
Luke1410 added a commit to SLikeSoft/SLikeNet that referenced this pull request Sep 3, 2019
- clarified changelog entry to not suggest that all compile errors were fixed (#220)
Luke1410 added a commit to SLikeSoft/SLikeNet that referenced this pull request Sep 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant