Short description: Denial of service (server) using ships on half tiles and landscaping.
Official CVE-2012-3436 entry at cve.mitre.org.
Related bug reports:
Patches: (sometimes more fuzz is needed to apply them)
- For version 0.6.0 up to including 0.6.3
- For version 0.7.0 up to including 0.7.5
- For version 1.0.0 up to including 1.0.5
- For version 1.1.0 up to including 1.1.5
- For version 1.2.0 up to including 1.2.1
Denial of service using ships on half tiles and landscaping.
Simple steps to reproduce the issue, and show the severity:
- start a new game. For this reproduction you do not need to start a server; you can see the crash locally, but due to the nature of OpenTTD the crash will also happen on the server you’re playing on with multiplayer.
- build some horizontal or vertical track at the coast, so that half of the tile remains water or coast. The tile should either have one corner raised with flat water on one half tile (case 1) or two adjacent corners raised with coast on the sloped half tile (case 2)
- build a ship depot, a ship and a dock at the coast, and start the ship
- obstruct the path of the ship in a way so that it enters the tile with half railtrack and half water
- landscape the tile by raising the water corner while the ship is on it (only needed in case 1)
- both cases will make the ship end up on land
- remove the track using the “remove track” tool while the ship is on the tile
- server segfaults due to NULL pointer dereference.
The problem is caused by incorrectly handling the water/coast aspect of tiles which also have railtracks on one half. The fix adds the correct checks to the landscaping and movement code.
If you try to reproduce this with the patch applied you’ll see that, in case 1, step 5 will deny the terraforming and in case 2 the ship simply won’t try to enter the coast tile.
This bug was triggered incidentally by a user playing online when landscaping near a ship. We have not seen any signs of this bug being exploited forcefully.