Information

File: steamnetworkingsockets\clientlib\steamnetworkingsockets_udp.cpp
Function: CConnectionTransportUDPBase::Received_Data()

The connection protocol supports the transmission of statistics as part of the header of the incoming message.
When preparing to parse the protobuf-encoded statistics blob, there is a 32-bit overflow in the bounds check:

pIn = DeserializeVarInt( pIn, pPktEnd, cbStatsMsgIn );
if ( pIn == NULL )
{
	ReportBadUDPPacketFromConnectionPeer( "DataPacket", "Failed to varint decode size of stats blob" );
	return;
}
// EI-DBG: Classic 32-bit overflow, and it turns out that CS:GO is 32bits (client & server).
// EI-DBG: Will lead to an error and raised exception in the ParseFromArray() method
if ( pIn + cbStatsMsgIn > pPktEnd )
{
	ReportBadUDPPacketFromConnectionPeer( "DataPacket", "stats message size doesn't make sense.  Stats message size %d, packet size %d", cbStatsMsgIn, cbPkt );
	return;
}

if ( !msgStats.ParseFromArray( pIn, cbStatsMsgIn ) )
{
	ReportBadUDPPacketFromConnectionPeer( "DataPacket", "protobuf failed to parse inline stats message" );
	return;
}

This Out-of-Bounds read will enable an attacker to raise an exception inside protobuf when handling a length-delimited wire format using a negative size.

Crash Trace:

terminate called after throwing an instance of 'std::length_error'
  what():  basic_string::append

Attachments:
CVE_2020_6019_PoC_32_bits.py
steamnetworkingsockets_messages_certs_pb2.py
steamnetworkingsockets_messages_pb2.py
steamnetworkingsockets_messages_udp_pb2.py
steam_networking_sockets.py

References:
https://research.checkpoint.com/2020/game-on-finding-vulnerabilities-in-valves-steam-sockets
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6019
https://github.com/ValveSoftware/GameNetworkingSockets/commit/d944a10808891d202bb1d5e1998de6e0423af678