It appears my previous hardening around nwc_service_t wasn't enough.
I'm using a fuzzer to find more crashes.
socket_list_t::rdwr and address_list_t::rdwr each read a uint32
count off the wire and ran that many allocations with no
per-packet ceiling; a 0xffffffff count from a malicious peer
OOM'd the receiver. Reject any count that can't physically fit
in the packet body (>= MAX_PACKET_LEN - HEADER_SIZE bytes for
socket_info entries' 1-byte state floor; same / 8 for the
ip+mask pair in net_address_t).
nwc_service_t::~nwc_service_t was deleting the
vector_tpl<socket_info_t*> container without freeing the
socket_info_t entries socket_list_t::rdwr had new'd into it;
each loaded client-list packet leaked. Free the pointers
explicitly, and provide the previously-declared-but-undefined
socket_info_t::~socket_info_t (no other code path delete'd a
socket_info_t before this).
wow, so many problems fixed. Thank you for taking care of the network stack.
I still fear that with careful enegineered pakets (like an invalid player number or coordinates outside the map for tools) one migh stil able to crash one or the other tool. But your work is already a big progress. Thank you.
Thats an honour for me to be helpful in this project :)