fix(server/impl): initConnect addition overflow

[blattersturm]

Invalid ticket lengths could lead to an out-of-bounds read, crashing the server. This is relatively easy to exploit as well (just change the field in an existing valid cfxTicket to FF FF FF FF, and send it on to a server you want to crash) and therefore a bit risky - I've been trying to report this privately for ages (see the Sep 6, 2023 commit date!), but it seems to have slipped through the cracks and not been acted on at all for the past four months.

Goal of this PR

Make the server not crash when sending an invalid ticket.

How is this PR achieving the goal

Using larger types.

This PR applies to the following area(s)

Server

Successfully tested on

Platforms: Windows. Should work on Linux as well.

Checklist

• Code compiles and has been tested successfully.
• Code explains itself well and/or is documented.
• My commit message explains what the changes do and what they are for.
• No extra compilation warnings are added by these changes.

[z3t4s]

It took me 20 minutes to successfully crash my test server, and most of that was compiling...
Deferral (Queue systems, Allow lists) do not help you. Update to the newest artifacts as soon as they release.

If you're a high risk target with good infrastructure you might want to filter traffic arriving on POST /client for bad tickets for now.

Demo: https://streamable.com/2gxesr

Semi OT: It would be good to see some movement on a few other, even more dangerous issues that have been reported to the appropriate parties in private

[Vinipux322]

Hey bubble, long time no see, buddy, how you doing?

Demo: https://www.youtube.com/watch?v=v85xbzENTYQ

[nihonium-cfx]

For the future, we encourage everyone to submit exploit reports privately through [email protected] or by contacting an element on discord directly.