####################################################################### Luigi Auriemma Application: Raknet http://www.jenkinssoftware.com Versions: <= 3.72 Platforms: PS3, XBOX 360, Windows, Windows CE, Linux, Mac, iPhone Bug: NULL pointer Exploitation: remote, versus server and client Date: 25 Mar 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Raknet is an open source network library used also in various commercial games and engines, although with some modifications. ####################################################################### ====== 2) Bug ====== The library is affected by a NULL pointer dereference caused by the following code in RakPeer.cpp: bool ProcessOfflineNetworkPacket( const SystemAddress systemAddress, const char *data, const int length, RakPeer *rakPeer, RakNetSmartPtr rakNetSocket, bool *isOfflineMessage, RakNetTimeUS timeRead ) ... if (length <=2) { *isOfflineMessage=true; } ... if (*isOfflineMessage) { ... else if ((unsigned char) data[ 0 ] == ID_OUT_OF_BAND_INTERNAL && (size_t) length < MAX_OFFLINE_DATA_LENGTH+sizeof(OFFLINE_MESSAGE_DATA_ID)+sizeof(MessageID)*2+RakNetGUID::size()) { unsigned int dataLength = (unsigned int) (length-sizeof(OFFLINE_MESSAGE_DATA_ID)-RakNetGUID::size()-sizeof(MessageID)*2); RakAssert(dataLength<1024); packet=rakPeer->AllocPacket(dataLength+sizeof(MessageID), __FILE__, __LINE__); RakAssert(packet->length<1024); ... packet->data[0]=data[1]; ... Practically the "length <=2" check tells the code that the incoming ID_OUT_OF_BAND_INTERNAL packet can be handled without performing additional checks, but its size is smaller than "sizeof(OFFLINE_MESSAGE_DATA_ID)-RakNetGUID::size()-sizeof(MessageID)*2)" so dataLength will be a too big number due to this integer overflow and packet->data will be set to NULL by AllocPacket. The access to this NULL pointer causes the immediate crash of the game (client or server) that uses the library. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip udpsz -C 0d SERVER PORT -1 ####################################################################### ====== 4) Fix ====== No fix #######################################################################