Ticket #21 (closed defect: fixed)

Opened 23 months ago

Last modified 17 months ago

Clients format string, ScrollInfoT::Print()

Reported by: Luigi Auriemma Owned by: Carsten
Priority: high Milestone:
Component: Cafu Engine Version: 9.06
Keywords: format string, vulnerability Cc:
Platform:

Description (last modified by Carsten) (diff)

The client's engine is affected by a format string vulnerability located in the calling of the ScrollInfoT::Print function used for showing messages on the screen.
Differently than Console->Print that shows one string in the console this one uses a printf-like format
void ScrollInfoT::Print(const char* PrintString, ...)
but the format argument is missed in a couple of locations, one of which is the visualization of the chat messages.

Ca3DE\Client\ClientStateInGame.cpp:

            ...
            case SC1_ChatMsg:
            {
                const char* ChatMessage=InData.ReadString();

                cf::LogDebug(net, "SC1_ChatMsg: %s", ChatMessage);
                Console->Print(std::string(ChatMessage)+"\n");
                ChatScrollInfo.Print(ChatMessage);
                break;
            }
            ...

The result is that an attacker from the same server or (better) from another client can crash or execute malicious code on any other client connected to the server.

note that Scrollinfo.Printf is used without argument also in the ClientStateInGameT::Render function.

Change History

Changed 23 months ago by Carsten

  • description modified (diff)

Changed 23 months ago by Carsten

  • owner set to Carsten
  • status changed from new to confirmed

Changed 17 months ago by Carsten

  • status changed from confirmed to closed
  • resolution set to fixed

Closed by r144:
Revised classes ScrollInfoT and FontT, fixing bug #21.
Thanks to Luigi Auriemma for the report!

Note: See TracTickets for help on using tickets.