search

diva / diva-distribution

OpenSim + addons. This is the content that gets distributed in the d2 project.
52 stars 36 forks source link

Denial of Service attack #39

Open Outworldz opened 3 years ago

Outworldz commented 3 years ago

The recursive #Include system cannot handle an estate number larger than about 800 due to the recursion in it, and the 1 MB stack space. The estate number can be almost unlimited in DreamGrid as it can handle thousands of regions. It also starts at 1000 now due to a need to skip over any possible estate. Web crawlers and rogue operators read an unused URL in the Diva code that is not normally used, and it will crash Robust due to the limited stack space of 1 MB.

I added a simple cutoff limit, shown below, which can be much lower than 500. I had to use a high estate number for auto creation of a a specific estate for Endless Land and Seas in DreamGrid. If you need a more details as to exactly what is happening and where, please contact me directly fred at outworldz.com.

Processor.cs line 141:

    private string Include(string argStr)
    {
        if (m_Index > 500) 
            return string.Empty;
Outworldz commented 2 years ago

10 recursions is a reasonable limit for the avatar choices.