- Discovered by: vmpr0be
- Severity: Critical - 9.1
- Impact: Arbitrary 5‑byte read within binary memory bounds possible constrained data corruption
- Affected versions: Starting from commit
ba86dfd927b5e2432be797e12095642dc4091fe1 - Technical Summary: An unvalidated entity ID from the client is used as an array index (negated) into mob_data, resulting in OOB memory access and potential disclosure of memory values via coordinates sent back to the client
handlePacket -> cs_interact -> interactEntity:
int cs_interact (int client_fd) {
https://github.com/p2r3/bareiron/blob/ba86dfd927b5e2432be797e12095642dc4091fe1/src/packets.c#L1167
int entity_id = readVarInt(client_fd);
uint8_t type = readByte(client_fd);
...
https://github.com/p2r3/bareiron/blob/ba86dfd927b5e2432be797e12095642dc4091fe1/src/packets.c#L1182C7-L1182C11
if (type == 0) { // Interact
interactEntity(entity_id, client_fd); <== !!! entity_id isn't checked
}
...
void interactEntity (int entity_id, int interactor_id) {
...
https://github.com/p2r3/bareiron/blob/ba86dfd927b5e2432be797e12095642dc4091fe1/src/procedures.c#L1405
MobData *mob = &mob_data[-entity_id - 2]; <=== OOB access using unchecked value
switch (mob->type) {
case 106: // Sheep
...
https://github.com/p2r3/bareiron/blob/ba86dfd927b5e2432be797e12095642dc4091fe1/src/procedures.c#L1420C7-L1420C26
playPickupAnimation(player, I_white_wool, mob->x, mob->y, mob->z); <=== !!!!! x, y and z are sent to client