GameNetworkingSockets icon indicating copy to clipboard operation
GameNetworkingSockets copied to clipboard
verified publisher icon ValveSoftware

Potential Integer Overflow Vulnerability in CCrypto::GenerateRandomBlock()

Open Asuk4 opened this issue 6 months ago • 2 comments

Vulnerability Summary

A CWE-190: Integer Overflow vulnerability exists in the SendMessageToUser function of the GameNetworkingSockets library. The vulnerable code calculates a buffer size using a user-controlled input without validating for overflow. The resulting integer wraps around and is passed to AllocateMessage(cbSize), which internally performs:

pMsg->m_pData = malloc(cbSize);

This can lead to a heap buffer overflow during later writes.

Vulnerable Code

int cbSend = cubData + sizeof(P2PMessageHeader);  // Potential overflow
CSteamNetworkingMessage *pMsg = m_steamNetworkingSockets.m_pSteamNetworkingUtils->AllocateMessage(cbSend);

  • cubData is user-controlled (e.g., received from remote peer).

  • No overflow check on cubData + sizeof(...).

  • AllocateMessage() ultimately calls malloc(cbSend) internally:

    pMsg->m_pData = malloc(cbSize);

  • If cubData is large (e.g., 0xFFFFFFF0), the addition wraps around and results in a small cbSend.

  • Later operations assume pMsg->m_pData has cubData bytes, causing memory corruption.

Recommended Mitigation

Add an overflow-safe check before performing the addition:

if ( cubData > INT_MAX - sizeof(P2PMessageHeader) )
    return; // or handle error
int cbSend = cubData + sizeof(P2PMessageHeader);

Asuk4 avatar Jun 01 '25 14:06 Asuk4

@zpostfacto

thouravi avatar Jun 03 '25 02:06 thouravi

Hi @Asuk4, I'd advise deleting this and disclosing it via their Security policy https://github.com/ValveSoftware/GameNetworkingSockets/blob/master/SECURITY.md

Arr-n-D avatar Jul 07 '25 16:07 Arr-n-D