fix: Potential DOS attack on server by sending packed ulongs when packed uints are expected. (#730)

atlv24 · vis2k · commit 015d0d508e19 · 2019-04-05T19:52:00.000+02:00
* fix: Potential DOS attack on server by sending packed ulongs when packed uints are expected.

* Update NetworkReader.cs
diff --git a/Assets/Mirror/Runtime/NetworkReader.cs b/Assets/Mirror/Runtime/NetworkReader.cs
@@ -82,7 +82,10 @@ public uint ReadPackedUInt32()
             ulong value = ReadPackedUInt64();
             if (value > uint.MaxValue)
             {
-                throw new IndexOutOfRangeException("ReadPackedUInt32() failure, value too large");
+                // show warning, but don't throw an exception to avoid DOS attack where
+                // an attacker might send a packed UInt64 where a packed UInt32 was
+                // expected (https://github.com/vis2k/Mirror/pull/730/)
+                Debug.LogWarning("ReadPackedUInt32() failure, value too large: " + value);
             }
             return (uint)value;
         }
diff --git a/Assets/Mirror/Tests/NetworkWriterTest.cs b/Assets/Mirror/Tests/NetworkWriterTest.cs
@@ -144,6 +144,22 @@ public void TestPackedUInt32()
             Assert.That(reader.ReadPackedUInt32(), Is.EqualTo(uint.MaxValue));
         }
 
+        [Test]
+        public void TestPackedUInt32Failure()
+        {
+            Assert.DoesNotThrow(() => {
+                NetworkWriter writer = new NetworkWriter();
+                writer.WritePackedUInt64(1099511627775);
+                writer.WritePackedUInt64(281474976710655);
+                writer.WritePackedUInt64(72057594037927935);
+
+                NetworkReader reader = new NetworkReader(writer.ToArray());
+                reader.ReadPackedUInt32();
+                reader.ReadPackedUInt32();
+                reader.ReadPackedUInt32();
+            });
+        }
+
         [Test]
         public void TestPackedInt32()
         {
@@ -180,6 +196,22 @@ public void TestPackedInt32()
             Assert.That(reader.ReadPackedInt32(), Is.EqualTo(int.MinValue));
         }
 
+        [Test]
+        public void TestPackedInt32Failure()
+        {
+            Assert.DoesNotThrow(() => {
+                NetworkWriter writer = new NetworkWriter();
+                writer.WritePackedInt64(1099511627775);
+                writer.WritePackedInt64(281474976710655);
+                writer.WritePackedInt64(72057594037927935);
+
+                NetworkReader reader = new NetworkReader(writer.ToArray());
+                reader.ReadPackedInt32();
+                reader.ReadPackedInt32();
+                reader.ReadPackedInt32();
+            });
+        }
+
         [Test]
         public void TestPackedUInt64()
         {

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,10 @@ public uint ReadPackedUInt32()`
`82`	`82`	`ulong value = ReadPackedUInt64();`
`83`	`83`	`if (value > uint.MaxValue)`
`84`	`84`	`{`
`85`		`- throw new IndexOutOfRangeException("ReadPackedUInt32() failure, value too large");`
	`85`	`+ // show warning, but don't throw an exception to avoid DOS attack where`
	`86`	`+ // an attacker might send a packed UInt64 where a packed UInt32 was`
	`87`	`+ // expected (https://github.com/vis2k/Mirror/pull/730/)`
	`88`	`+ Debug.LogWarning("ReadPackedUInt32() failure, value too large: " + value);`
`86`	`89`	`}`
`87`	`90`	`return (uint)value;`
`88`	`91`	`}`