Bug #621

Login service casts pointer to uint32 and sends it over network.

Added by kaetemi about 6 years ago. Updated almost 5 years ago.

Status:New Start date:06/17/2009
Priority:Normal Due date:
Assignee:- % Done:

0%

Category:-
Target version:-

Description

At line 163 in connection_client.cpp, the login service hacks a NLNET::TSockId into a login cookie. NLNET::TSockId is a typedef for NLNET::CBufSock * (a pointer to the socket with buffer). A similar setup occurs in connection_web.cpp at line 173.

CLoginCookie c;
c.set((uint32)(uintptr_t)from, rand(), uid);

When the user chooses a shard, it sends this cookie to the welcome service of a shard, which passes it back to the login service when it responds.
At line 408 or 412 it directly casts the uint32 from the cookie back into a NLNET::TSockId, and passes it to the ClientsServer->send function, which uses it as a pointer.
ClientsServer->send (msgout, (TSockId)cookie.getUserAddr ()); ...
... void CCallbackServer::send (const CMessage &buffer, TSockId hostid, bool /* log */) ...
... CBufServer::send (buffer, hostid); ...
... pushBufferToHost( buffer, hostid ); ...
... if ( hostid->pushBuffer( buffer ) ) // <- hostid is the TSockId that was cast from a uint32 received from the network

Might be problematic on 64bit systems, and may result in security issues when accepting third party shards on a login service.

History

#1 Updated by kervala almost 5 years ago

  • Project changed from NeL to Ryzom
  • Category deleted (Net)

Also available in: Atom PDF