R5Reloaded/r5sdk
1
0
Fork 0
mirror of https://github.com/Mauler125/r5sdk.git synced 2025-02-09 19:15:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix vulnerability in C2S_CONNECT message parser

Browse Source 
Thanks Robotic for reporting the crash!
This commit is contained in:
Amos 2023-05-30 10:03:53 +02:00
parent abef34d3ef
commit 46fafef60c
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
r5dev/resource/patch/r5apex.patch
View File

@ -64,4 +64,14 @@
// Below the reconstruction of overwritten bytes caused by the long jump to code cave...
0x12944BB: "lea r8d, ds:[rbp*8]" // fragSize << 3
0x12944C3: "mov rcx, rbx"
0x12944C6: "jmp 0x0000000140261A6B" // Jump back to original code; final split packet fragment is sane.
0x12944C6: "jmp 0x140261A6B" // Jump back to original code; final split packet fragment is sane.
// This fixes a vulnerability in which the index field in the NET_SetConVar message
// could be used to read outside the static userinfo cvar string array.
0x030DD29: "jmp 0x1412950E3" // Jump to code cave (alignment padding at end of executable segment).
0x12944E3: "test eax, eax" // Existing NULL check, moved here due to overwrite caused by long jmp.
0x12944E5: "je 0x1412950F0" // Conditional jump to rebuild of overwritten instruction.
0x12944E7: "cmp eax, 0x28" // Check if array index does NOT exceed size; max = 0x27 (this check was missing).
0x12944EA: "jl 0x14030E951" // Conditional jump to original code that indexes into userinfo cvar string array.
0x12944F0: "mov r8d, 0x104" // Rebuid of overwritten instruction caused by long jump to code cave.
0x12944F6: "jmp 0x14030E933" // Jump to original code past the user info cvar array indexing.