From 56aa6d0eddb60fac20cde82cd496005369ca1b8d Mon Sep 17 00:00:00 2001 From: rubidium42 Date: Sun, 2 May 2021 11:05:50 +0200 Subject: Fix: [Network] Reading beyond the length of the server's ID when hashing password Under normal circumstances the server's ID is 32 characters excluding '\0', however this can be changed at the server. This ID is sent to the server for company name hashing. The client reads it into a statically allocated buffer of 33 bytes, but fills only the bytes it received from the server. However, the hash assumes all 33 bytes are set, thus potentially reading uninitialized data, or a part of the server ID of a previous game in the hashing routine. It is still reading from memory assigned to the server ID, so nothing bad happens, except that company passwords might not work correctly. --- src/network/network.cpp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/network/network.cpp b/src/network/network.cpp index af732facd..c00a3650f 100644 --- a/src/network/network.cpp +++ b/src/network/network.cpp @@ -176,12 +176,15 @@ const char *GenerateCompanyPasswordHash(const char *password, const char *passwo if (StrEmpty(password)) return password; char salted_password[NETWORK_SERVER_ID_LENGTH]; + size_t password_length = strlen(password); + size_t password_server_id_length = strlen(password_server_id); - memset(salted_password, 0, sizeof(salted_password)); - seprintf(salted_password, lastof(salted_password), "%s", password); /* Add the game seed and the server's ID as the salt. */ for (uint i = 0; i < NETWORK_SERVER_ID_LENGTH - 1; i++) { - salted_password[i] ^= password_server_id[i] ^ (password_game_seed >> (i % 32)); + char password_char = (i < password_length ? password[i] : 0); + char server_id_char = (i < password_server_id_length ? password_server_id[i] : 0); + char seed_char = password_game_seed >> (i % 32); + salted_password[i] = password_char ^ server_id_char ^ seed_char; } Md5 checksum; -- cgit v1.2.3-70-g09d2