This repository has been archived by the owner on Jan 13, 2022. It is now read-only.
Fix potential non-null-terminated string in Irrlicht sample (CVSS score: n/a) #130
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Luke1410
added a commit
to SLikeSoft/SLikeNet
that referenced
this pull request
Mar 25, 2019
…es (primarily in IPv4 mode - #263, #265) - always try to determine the port in SystemAddress::FromString() if a delimiter is specified (IPv6 mode - #263) - added missing WSAStartupSingleton::AddRef() in RakNetSocket2::DomainNameToIP() (#264) - fix inconsistent 'g' vs. 'A' check in NonNumericHostString() (fixes #262) - replace natpunch.jenkinssoftware.com with napunch.slikesoft.com throughout the code and consistently use natpunch.slikesoft.com (instead of slikesoft.com) (#173) - dropped left over XBOX code (facebookarchive#130) - code style, minor tweaks, whitespaces, and TODO markers (facebookarchive#130)
Luke1410
added a commit
to SLikeSoft/SLikeNet
that referenced
this pull request
Sep 2, 2019
- supports session based data encryption/decryption - support secure memory handling - corrections related to new (experimental) Crypto::CSecureString() class (#255) - rewrote the implementation to use Crypto::CCryptoManager's session data encryption feature (which makes the CSecureString() class compatible with Linux and OSX) - changed AddChar() to return the number of written characters (useful for UTF-8-mode) - added missing integer overflow check - fixed off-by-one checks (incl. off-by-one checks in AddChar() in UTF-8 mode) - several compile error/warning fixes - added documentation - whitespaces - updated changelog entries (mainly for 0.1.3) (facebookarchive#130, #220, #223, #249, #225, #226, #227, #228, #236, #238, #242, #258, #259, #261, #262, #263, #264, #265, #269)
Luke1410
added a commit
to SLikeSoft/SLikeNet
that referenced
this pull request
Sep 2, 2019
- CMake - renamed project name from RakNet -> SLikeNet (#222) - by default build the retail version now (#222) - changed created include directory from raknet -> slikenet (#222) - changed target name for non-Windows platform to libslikenet using set_target_properties(OUTPUT_NAME) (#189) - added version number using set_target_properties() (VERSION and SOVERSION) (#222) - replaced usage of direct CMAKE_CXX_FLAGS variable by using add_definitions() (#222) - renamed variables RAKNET_XXX -> SLIKENET_XXX (#222) - correct the OpenSSL include directory (#254) - removed obsolete HAVE_64_BIT variable (facebookarchive#130) - removed obsolete RAKNET_INCLUDE_DIRS variable (facebookarchive#130) - multiple other tweaks (facebookarchive#130, #269)
Luke1410
added a commit
to SLikeSoft/SLikeNet
that referenced
this pull request
Sep 2, 2019
- minor tweaks (facebookarchive#130, #269)
Luke1410
added a commit
to SLikeSoft/SLikeNet
that referenced
this pull request
Sep 2, 2019
- added CMake configuration and version configuration support (facebookarchive#132) - added slikenet.h to simplify CMake include directory detection (facebookarchive#132) - tweaked the way to specify the version number (facebookarchive#132) - use version based install directories to support installing multiple versions in parallel (#222) - use EXPORT handling for the CMake integration (facebookarchive#132) - preps for CMake >= 2.8 make use of target_include_directories() (#222) - minor tweaks (facebookarchive#130)
Luke1410
added a commit
to SLikeSoft/SLikeNet
that referenced
this pull request
Sep 3, 2019
…eclared external so to remove the need for including/dependent compile units to also include types.h (which is quite a burden due to the windows.h inclusion, f.e.) - facebookarchive#130 - add required OpenSSL dependency to CMake (#222)
Luke1410
added a commit
to SLikeSoft/SLikeNet
that referenced
this pull request
Sep 3, 2019
Luke1410
added a commit
to SLikeSoft/SLikeNet
that referenced
this pull request
Sep 3, 2019
- clarified changelog entry to not suggest that all compile errors were fixed (#220)
Luke1410
added a commit
to SLikeSoft/SLikeNet
that referenced
this pull request
Sep 16, 2019
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a backport of a security relevant fix for RakNet, we discovered. The issue has already been fixed in SLikeNet 0.1.0 (see https://www.slikenet.com/).
We provide this backport for people who prefer to stick with the RakNet project and also in order to easier share this fix with other RakNet forks.
We could/did not calculate a CVSS score, since such score heavily depends on how exactly the 3rd-party-library (IrrlichtEngine) handles the potentially non-null-terminated string. Note that this can also differ between different versions of the 3rd-party-library.
The security implications of the issue should be considered low. It's only an issue in the sample integration and therefore only applies to games/apps which make use of the code provided in RakNetStuff for their integration with the IrrlichtEngine. Since a non-null-terminated string however can result in out of bounds memory access, we decided to treat this issue as a potential security vulnerability.