Short description: Denial of service (server) using forcefully crashed aircrafts.
Official CVE-2013-6411 entry at cve.mitre.org.
Related bug reports:
Patches: (sometimes more fuzz is needed to apply them)
- For version 1.2.0 up to including 1.3.2
- For version 1.0.0 up to including 1.1.5
- For version 0.6.0 up to including 0.7.3
- For version 0.3.6 up to including 0.5.3
Denial of service using aircrafts that are forcefully crashed.
Simple steps to reproduce the issue, and show the severity:
- Start a new game. For this reproduction you do not need to start a server; you can see the crash locally, but due to the nature of OpenTTD the crash will also happen on the server you’re playing on in multiplayer
- Build an airport at the map corner and join it with rail station
- Make this airport the order destination for planes which will start from another place, or use the close airport feature, and then they may also start from the same airport
- Wait until all planes are sky high and rotating around the corner airport
- In case aircraft are launched from another airport, remove that airport
- Remove the airport part of the corner airport, and leave only the rail station
- Remove the rail station part
- Wait for the aircraft to keep circling and eventually crash due to lack of fuel
- Server segfaults due to invalid memory access (stable releases), or triggering of an assertion (most other builds)
The problem is caused by incorrectly handling the fact that the aircraft circling the corner airport will be outside of the bounds of the map. In the ‘out of fuel’ crash code the height of the tile under the aircraft is determined. In this case that means a tile outside of the allocated map array, which could occasionally trigger invalid reads.
The fix makes sure the height of the map border is used when the aircraft is outside of the map.