Skip to content

Buffer overflow vulnerability #8

New issue
New issue
Open
Open
Buffer overflow vulnerability#8
@marcellp

Description

@marcellp
marcellp
opened on Dec 16, 2015

This plugin seems to crash my server when the server you're connected to returns large amounts of data. This is a reasonably big problem because it prevents people from using this plugin with protocols where large responses are the norm (HTTP, FTP data transfer, etc.).

I've compiled the plugin from the current source tree.

In order to reproduce this bug, establish a netcat listener on an arbitrary port:

nc -L -p 11111

Create a sample script for testing:

#include <a_samp>
#include <socket>

main()
{
    new Socket:sock = socket_create(TCP);
    if(is_socket_valid(sock)) {
        socket_connect(sock, "127.0.0.1", 11111);
    }
}

public onSocketAnswer(Socket:id, data[])
{
}

Run the server while the netcat listener is open. When the connection gets established, send a random 2048 byte input from nc:

X8PryYI4tzwuumABxDUNGovQFM3pGHD9EUIjjuzrvYtt68sk0H7LpYKY1Lw0sngaVkFzR0b9yo4kAtk8TyhKDcApncjEKDvy75tAAVxfYVB2RG5uVmGcVAGkavLprHHAfV3Rc7KKEN4pu5loXk94SvuOz1rL9XBqjqoysrzhAUtbl33Q4ckVe5hTKvMHQHKVXcwfG78AXU0MMvM6I8qmhuuOnAbLo59MnpOW1KSxatP2ZsIAgFaAvcmzsMhAAtbLfkDkyiKfmFQitYqGD4YnsXHImuhxnWJtgm4gPqJsVQPETmt3oUo6Vz3o7pREf2A3F91wG5ugFtSGgoxaVMJgg7YBZa8TVO7q64vPbsnYJxU44aGTWt4S5wGLbaUxr3brLQa8XOEjcRFQ4SPB88rC76Qu1G5R8ShHDve4E3WKE1KyVWAfiWaNnHGA5fw6kpRfixoIFcVj6bYUqviYoRFKuHmqUgYHMT9Jxlczjcmjgr6DFWePaEkwoFuoDPnDSUWKIVGVS7cELeCrLUbAQfEHbW3H9YiaGUJrUL1fkkc937RpDmha3ePAlEsupPFQrXcjD1IXUewibQpx10S09IfxWRQ0PsTBfPNnE1PwhWIZYqJzQW1MBlyBu7MbfuZe0bHt7NCAGAYWtJ03QzNnNAMpD5WwRt66G9UTT8hwyoARCelEiGfaZlOktwmUz2j4G6Ie9I1fbqDfaVWH7VjuyF1LNtG9wEtIABjnlxp7OmWfOF16lq7coThTONMkPoII6KH24zQkODoQHAphoEBWNT2u0OyFL6HzfIPfKJwejGghWOOxcz75lESZhf6xTLxANp48U0igOBXEKyaH86Fo4271jt0NJ4CZ2BMeiV9QnT8UnggOlIXC8ULUeXVftl3sEafyOfGHHHIWH6zjkh8AmlHBx1qt2B1IVzPtZLVhLWr2OOqfNhrjjf6N9G6RtWAzfFqmvFqCA4Aw0xlVJegyv8clRWXVjbD1KJ0K5Qug9NWEQaHHGcpwVb7MWiRKvGeNkHDKDBQxJc0PEPy1oTGOHz4o3gwRqsWVJIvxvyn6p7sZazMNxBCG5UR6oyvgaAPN9SuibPbEOEPfumuUWJuvNcw709BD5MagOiDf9xYV70AL9nz4KoFrjOemyOsYAiW7Yjb1Vmt0nDc2GrBR7i3uMJxm3Ihm8YaR62IitwoJWuIc8O05XWVHScNu9v5SFHHumcrzMYnAiHsJ68nj5XWB8xNkqtZ5YVhNh20mJQnzZjTkSE5EuNpWl1L81YJrDCFNFEiqe1ay3q24MMfVTzNHirwZCbA2YhgpVsAsuccJkwJXWKHTGgChOqSGt2rNooNop42WIXDok1smcHvSQ3kXXlobRp6BS0hx5eh9WfDSgai3bOwwp3CEvognIDZWSCm9E5hD61WYe36qRReUU84RDOuIu9NCgeGGxKxHqfIeNY2J3XWSm4MV0wnAhxLQALMIu1yi1XzQL0eVwx7x9YuuUP9xhCVvNGY7cvn7JNPF6TJt0v18zTL9MBXVnYGEQPDzmGw2iBckj2OuKTw99LFBWqYSZIJoPxI5GHeyzouUPTkg1tjwJxpEygSmmj2Mi0tcwTIGkyGCUxtLeLchlvqQQfyvHRlgGUsWvYW8VaiKyvOKSlOlD3E8DE0o5Cv5hkLnretEzQQ0MRpHbenBsx2S3kyLaADb5FyhB0CtxvM2ayirCGSeBjpZv6fgovW7ijM57DQkRCs4CXfCRfufXhjwQIxLl6cqCXb6KeuubFr1kMGMYP5iPruhZMh1oym7iGzUH7x6QJ7J42YqPnfOsPjUA5RzD7fxZUe4VnUOgwvpMwMqKtcgRFx1UhDMXbOiaVK3BrLArsetbcSIrqpGYHpIfsDltooCDm2vJhcPZ9VvTi4ebp0BVUShgotM79kTc3wy9BaJ85MuG7qZf2O0Ao9bMKzsBnJrXlBDLpBQ2whpVAHzt6kKrsvlMFyAtkJvmawnUHMZuFlQtG7KltaZC4aszzVIyVEAQVcK6B5hJ8A9xnkp1rKbiwRSi95iybHYIaHC2uQv

Expected behavior: the data[] string of the callback should contain the data returned by the server.
Observed behavior: the server crashes and shuts down.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions