Multiple use-after-free vulnerabilities in OpenTTD 1.0.x before 1.0.5 allow (1) remote attackers to cause a denial of service (invalid write and daemon crash) by abruptly disconnecting during transmission of the map from the server, related to network/network_server.cpp; (2) remote attackers to cause a denial of service (invalid read and daemon crash) by abruptly disconnecting, related to network/network_server.cpp; and (3) remote servers to cause a denial of service (invalid read and application crash) by forcing a disconnection during the join process, related to network/network.cpp.
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
| Link | Tags |
|---|---|
| http://secunia.com/advisories/42578 | third party advisory broken link |
| http://www.vupen.com/english/advisories/2010/2985 | vendor advisory broken link vdb entry |
| http://security.openttd.org/en/CVE-2010-4168 | patch vendor advisory |
| http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052193.html | vendor advisory mailing list third party advisory |
| http://marc.info/?l=oss-security&m=128984298802678&w=2 | mailing list |
| http://security.openttd.org/en/patch/28.patch | patch |
| http://vcs.openttd.org/svn/changeset/21182 | broken link |
| http://www.securityfocus.com/bid/44844 | broken link third party advisory vdb entry |
| http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052187.html | vendor advisory mailing list third party advisory |
| http://marc.info/?l=oss-security&m=128975491407670&w=2 | mailing list |
| http://www.vupen.com/english/advisories/2010/3199 | vdb entry broken link |