Short description: Denial of service via improperly validated commands
Related bug reports:
Patches: (sometimes more fuzz is needed to apply them)
- For version 1.1.0 up to including 1.1.2
- For version 1.0.1 up to including 1.0.5
- For version 1.0.0 up to including 1.0.0
- For version 0.7.0 up to including 0.7.5
- For version 0.6.0 up to including 0.6.3
- For version 0.3.5 up to including 0.5.3
In multiple places in-game commands are not properly validated that allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
The bug is exploitable only in-game so the attacker must have access to the server: his IP must not be banned, he must know the password if it has been set and the server must not be full.
The major cause of these bugs are off-by-one errors in the validation of the sent commands from the clients to the server, and from the server to the client. One could therefore, in theory, affect both the server and the clients of that server.
Two of the cases (since 0.7.0) are known to make the game state invalid, which causes an eventual crash of the application via an “abort()”. Two cases cause a read beyond the boundaries of a (static) table (resp. since 0.3.5 and 1.0.0). The last case allows changes to the game state of others that might trigger invalid reads for other players if they had the autoreplace window opened (since 0.6.0).