Potential Integer Overflow Vulnerability in CCrypto::GenerateRandomBlock()

[Asuk4]

Vulnerability Summary

A CWE-190: Integer Overflow vulnerability exists in the SendMessageToUser function of the GameNetworkingSockets library. The vulnerable code calculates a buffer size using a user-controlled input without validating for overflow. The resulting integer wraps around and is passed to AllocateMessage(cbSize), which internally performs:

pMsg->m_pData = malloc(cbSize);

This can lead to a heap buffer overflow during later writes.

---

Vulnerable Code

int cbSend = cubData + sizeof(P2PMessageHeader);  // Potential overflow
CSteamNetworkingMessage *pMsg = m_steamNetworkingSockets.m_pSteamNetworkingUtils->AllocateMessage(cbSend);

• cubData is user-controlled (e.g., received from remote peer).

• No overflow check on cubData + sizeof(...).

• AllocateMessage() ultimately calls malloc(cbSend) internally:

  pMsg->m_pData = malloc(cbSize);

• If cubData is large (e.g., 0xFFFFFFF0), the addition wraps around and results in a small cbSend.

• Later operations assume pMsg->m_pData has cubData bytes, causing memory corruption.

---

Recommended Mitigation

Add an overflow-safe check before performing the addition:

if ( cubData > INT_MAX - sizeof(P2PMessageHeader) )
    return; // or handle error
int cbSend = cubData + sizeof(P2PMessageHeader);

[thouravi]

@zpostfacto

[Arr-n-D]

Hi @Asuk4, I'd advise deleting this and disclosing it via their Security policy
https://github.com/ValveSoftware/GameNetworkingSockets/blob/master/SECURITY.md