Headline
CVE-2020-6019: Tweak pointer math to avoid possible integer overflow · ValveSoftware/GameNetworkingSockets@d944a10
Valve’s Game Networking Sockets prior to version v1.2.0 improperly handles inlined statistics messages in function CConnectionTransportUDPBase::Received_Data(), leading to an exception thrown from libprotobuf and resulting in a crash.
@@ -840,9 +840,9 @@ void CConnectionTransportUDPBase::Received_Data( const uint8 *pPkt, int cbPkt, S
ReportBadUDPPacketFromConnectionPeer( "DataPacket", “Failed to varint decode size of stats blob” );
return;
}
if ( pIn + cbStatsMsgIn > pPktEnd )
if ( cbStatsMsgIn > pPktEnd - pIn )
{
ReportBadUDPPacketFromConnectionPeer( "DataPacket", "stats message size doesn’t make sense. Stats message size %d, packet size %d", cbStatsMsgIn, cbPkt );
ReportBadUDPPacketFromConnectionPeer( "DataPacket", "stats message size doesn’t make sense. Stats message size %u, packet size %d", cbStatsMsgIn, cbPkt );
return;
}