Short description: Denial of service (server) using wagons and dual-headed engine
Official CVE-2009-4007 entry at cve.mitre.org.
Related bug reports:
Patches: (sometimes more fuzz is needed to apply them)
Denial of service using wagons and dual headed wagons.
Simple steps to reproduce the issue, and show the severity:
- start a new game in the year 1960; note that this crash works with all dual headed trains and as such basically all servers with a game date after about the year 1960. For this reproduction you do not need to start a server; you can see the crash locally, but due to the nature of OpenTTD the crash will also happen on the server you’re playing on with multiplayer.
- build a rail depot
- open the depot window
- buy two dual headed trains, the Manley-Morel DMU (Diesel)
- buy two wagons, e.g. passenger wagons
- move train 2 to the back of the unnumbered train at line 3, the unnumbered train goes to line 2 now
- move the second wagon of the unnumbered train to be placed at the third position, i.e. between the two dualhead parts
- move, while pressing Ctrl (this is important), the second wagon on third position of the unnumbered train to the back of train 1
- sell the complete unnumbered train, while pressing Ctrl drag it to the top button on the right and this will then trigger a segmentation fault
The problem is caused by the fact that the free wagon chains aren’t normalised, i.e. the dualheads aren’t properly put together. It is trivially fixed by running the normalisation of the train also over free wagon chains. As NormaliseTrainConsist is only ran on the front of trains v may only be IsFreeWagon or IsFrontEngine, which is what the assert tests, but as the assert isn’t executed for release builds it can be removed instead of updated to cover both IsFrontEngine and IsFreeWagon.
If you try to reproduce this with the patch applied you’ll see that after step 8 only the wagon is moved and not the half of the dual headed train. This will then make sure you cannot sell only one part of the dual headed train, which is what causes the segmentation fault.
We have not seen any signs of this bug being exploited in the real world.