CVE-2010-4168 (vulnerable 1.0.0 - fixed 1.0.5)
Short description: Denial of service (server/client) via invalid read
Related bug reports:
- There are no related bugs.
Patches: (sometimes more fuzz is needed to apply them)
When a client disconnects, without sending the "quit" or "client error" message,
the server has a chance of reading and writing a just freed piece of memory. The
chance depends on when the disconnect is noticed, whether OpenTTD can write to
the socket, and whether there are packets from the client waiting to be
processed. The writing can only happen while the server is sending the map.
For clients there is a chance that, upon reconnect after being disconnected during the join process, a just freed piece of memory is read.
Depending on what happens directly after freeing the memory there is a chance that a segmentation fault, and thus a denial of service will occur.
The attached patch does not change network compatability at all.