From b89eddc8676acb6588be2cb739d07d3948b277f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=CE=B6eh=20Matt?= <5415177+ZehMatt@users.noreply.github.com> Date: Tue, 28 Dec 2021 16:36:13 +0200 Subject: [PATCH 1/2] Fix #16327: Crash supplying a bad signature size in the auth packet --- src/openrct2/network/NetworkBase.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/openrct2/network/NetworkBase.cpp b/src/openrct2/network/NetworkBase.cpp index 6360e73aee..2e75cfa47a 100644 --- a/src/openrct2/network/NetworkBase.cpp +++ b/src/openrct2/network/NetworkBase.cpp @@ -2559,6 +2559,15 @@ void NetworkBase::Server_Handle_AUTH(NetworkConnection& connection, NetworkPacke { try { + // RSA technically supports keys up to 65536 bits, so this is the + // maximum signature size for now. + constexpr auto MaxRSASignatureSizeInBytes = 8192; + + if (sigsize == 0 || sigsize > MaxRSASignatureSizeInBytes) + { + throw std::runtime_error("Invalid signature size"); + } + std::vector signature; signature.resize(sigsize); From 7318cdd9b016c1d0e1fb8462831b0a3864fac460 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=CE=B6eh=20Matt?= <5415177+ZehMatt@users.noreply.github.com> Date: Thu, 30 Dec 2021 14:00:16 +0200 Subject: [PATCH 2/2] Update changelog.txt --- distribution/changelog.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/distribution/changelog.txt b/distribution/changelog.txt index f09dd9498e..e8f0fd05af 100644 --- a/distribution/changelog.txt +++ b/distribution/changelog.txt @@ -29,6 +29,7 @@ - Fix: [#16087] The Looping Roller Coaster booster is now always drawn correctly. - Fix: [#16162] Go Karts speeds are not correctly randomised, they only go very fast or very slow. - Fix: [#16188] Medium-size banked turns on the Twister and Vertical Roller Coaster have incorrect support placement (partly original bug). +- Fix: [#16327] Crash on malformed network packet. 0.3.5.1 (2021-11-21) ------------------------------------------------------------------------