Riddler66 reported in the lobby today that sending an excessively large chat message will trigger the host to crash.
Reproduce by starting a host, pressing F9, typing Engine.SendNetworkChat("h".repeat(100000)).
Terminal output:
ERROR: CNetMessage: Corrupt packet (incorrect size) ERROR: CNetMessage: Corrupt packet (incorrect size) Segmentation fault (core dumped)
Stacktrace:
#0 CStr8::Deserialize (this=0x7fff7c548c80, buffer=0x1 <error: Cannot access memory at address 0x1>, bufferend=0x7fff7c57a139 "") at ../../../source/ps/CStr.cpp:512 #1 0x00005555555c4512 in CChatMessage::Deserialize (this=0x7fff7c548c70, pos=0xe2713dd79dd5d200 <error: Cannot access memory at address 0xe2713dd79dd5d200>, end=0x7fff7c57a139 "") at ../../../source/network/NetMessages.h:136 #2 0x00005555555d171e in CNetMessageFactory::CreateMessage (pData=0x7fff7c5493f0, dataSize=<optimized out>, scriptInterface=...) at ../../../source/network/NetMessage.cpp:227 #3 0x00005555555e012d in CNetServerWorker::RunStep (this=<optimized out>) at ../../../source/network/NetServer.cpp:544 #4 0x00005555555df8f8 in CNetServerWorker::Run (this=0x55555827ade0) at ../../../source/network/NetServer.cpp:394 #5 0x00005555555ddf8a in CNetServerWorker::RunThread (data=0x7ffff6329320 <_IO_stdfile_1_lock>) at ../../../source/network/NetServer.cpp:379 #6 0x00005555555e935f in std::__invoke_impl<void, void (*)(CNetServerWorker*), CNetServerWorker*> (__f=<error reading variable>, __args=<error reading variable>) at /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/9.2.0/../../../../include/c++/9.2.0/bits/invoke.h:60 #7 std::__invoke<void (*)(CNetServerWorker*), CNetServerWorker*> (__fn=<error reading variable>, __args=<error reading variable>) at /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/9.2.0/../../../../include/c++/9.2.0/bits/invoke.h:95 #8 std::thread::_Invoker<std::tuple<void (*)(CNetServerWorker*), CNetServerWorker*> >::_M_invoke<0ul, 1ul> (this=0xe2713dd79dd5d208) at /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/9.2.0/../../../../include/c++/9.2.0/thread:244 #9 std::thread::_Invoker<std::tuple<void (*)(CNetServerWorker*), CNetServerWorker*> >::operator() (this=0xe2713dd79dd5d208) at /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/9.2.0/../../../../include/c++/9.2.0/thread:251 #10 std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (*)(CNetServerWorker*), CNetServerWorker*> > >::_M_run (this=0xe2713dd79dd5d200) at /usr/bin/../lib64/gcc/x86_64-pc-linux-gnu/9.2.0/../../../../include/c++/9.2.0/thread:195 #11 0x00007ffff657eee4 in std::execute_native_thread_routine (__p=0x555558967fb0) at /build/gcc/src/gcc/libstdc++-v3/src/c++11/thread.cc:80 #12 0x00007ffff63364cf in start_thread () from /usr/lib/libpthread.so.0 #13 0x00007ffff62652d3 in clone () from /usr/lib/libc.so.6
We notice that a packet size error is detected, but that if such a size error is detected, the return value is not read from.
Therefore after detecting a size mismatch, it continues to deserialize the packet and reads the GUID CStr field instead of abandoning.
Therefore we see that the check for that return value is missing in the Deserialize call of NMTCreator.h.