Fix RakNet::RakString Security Bug

VERSION

@@ -1 +1 @@
-2.1.3
+2.1.4

docs/CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+**2.1.4**
+* Fix RakNet::RakString Security Bug
+
 **2.1.3**
 * Workaround Broken Library Search Path On Some ARM 32-Bit Systems
 

libreborn/include/libreborn/minecraft.h

@@ -360,6 +360,9 @@ static uint32_t FillingContainer_linked_slots_length_property_offset = 0x14; //
 
 // RakNet::RakString
 
+typedef unsigned char *(*RakNet_RakString_t)(unsigned char *rak_string, const char *format, ...);
+static RakNet_RakString_t RakNet_RakString = (RakNet_RakString_t) 0xea5cc;
+
 typedef void (*RakNet_RakString_Assign_t)(unsigned char *rak_string, const char *str);
 static RakNet_RakString_Assign_t RakNet_RakString_Assign = (RakNet_RakString_Assign_t) 0xe9e34;
 

mods/src/misc/misc.c

@@ -64,6 +64,16 @@ static void LoginPacket_read_injection(unsigned char *packet, unsigned char *bit
     free(new_username);
 }
 
+// Fix RakNet::RakString Security Bug
+//
+// RakNet::RakString's format constructor is often given unsanitized user input and is never used for formatting,
+// this is a massive security risk, allowing clients to run arbitrary format specifiers, this disables the
+// formatting functionality.
+static unsigned char *RakNet_RakString_injection(unsigned char *rak_string, const char *format, ...) {
+    // Call Original Method
+    return (*RakNet_RakString)(rak_string, "%s", format);
+}
+
 // Init
 void init_misc() {
     if (feature_has("Remove Invalid Item Background", 0)) {
@@ -82,6 +92,9 @@ void init_misc() {
     // Sanitize Username
     patch_address(LoginPacket_read_vtable_addr, (void *) LoginPacket_read_injection);
 
+    // Fix RakNet::RakString Security Bug
+    overwrite_calls((void *) RakNet_RakString, RakNet_RakString_injection);
+
     // Init C++
     _init_misc_cpp();
 }