CVE-2010-4168 (vulnerable 1.0.0 - fixed 1.0.5)

Short description: Denial of service (server/client) via invalid read

Official CVE-2010-4168 entry at

Related bug reports:

Related commits:

Patches: (sometimes more fuzz is needed to apply them)

When a client disconnects, without sending the “quit” or “client error” message, the server has a chance of reading and writing a just freed piece of memory. The chance depends on when the disconnect is noticed, whether OpenTTD can write to the socket, and whether there are packets from the client waiting to be processed. The writing can only happen while the server is sending the map.

For clients there is a chance that, upon reconnect after being disconnected during the join process, a just freed piece of memory is read.

Depending on what happens directly after freeing the memory there is a chance that a segmentation fault, and thus a denial of service will occur.

The attached patch does not change network compatability at all.