| View previous topic :: View next topic |
| Author |
Message |
bani
Site Admin
Joined: 21 Jul 2002
Posts: 3685
|
 Posted: Mon Feb 02, 2004 8:42 pm Post subject: BUGFIX: Oversize server commands |
 |
|
| superdug wrote: | | The hack involves using a bufferoverflow in the sound system. A bind for a vsay is made, this vsay howerever seems to be larger than the buffer will allow and causing an immediate disconnect from all users connected to the server. |
this isnt exactly correct. its not a buffer overflow of the buffer (or the server would crash).
it's basically the client engine being retarded. 
if you send an oversize trap_sendservercommand(), the server happily sends the data to the client. however the client (engine, not cgame) expects server commands to never be > 1022 characters. so the client engine truncates the received servercommand at 1022, and the client engine interprets the next character in the server command string as a network command byte.
the client then gets totally confused at this point trying to interpret the rest of the string as raw network protocol, and blows up.
here's a true fix. basically it logs oversize commands and drops them on the floor. this will stop the vsay exploit, and any similar exploits in the future.
g_syscalls.c:
| Code: |
void trap_SendServerCommand( int clientNum, const char *text ) {
// rain - hack - commands over 1022 chars will crash the
// client upon receipt, so ignore them
if( strlen( text ) > 1022 ) {
G_LogPrintf( "trap_SendServerCommand( %d, ... ) length exceeds 1022.\n", clientNum );
G_LogPrintf( "text [%s]\n", text );
return;
}
syscall( G_SEND_SERVER_COMMAND, clientNum, text );
}
|
Last edited by bani on Sun Jun 12, 2005 3:13 pm; edited 2 times in total |
|
| Back to top |
|
 |
Badhabit
Joined: 26 Oct 2002
Posts: 332
Location: Boise, Idaho
|
| Posted: Mon Feb 02, 2004 9:01 pm Post subject: Re: BUGFIX: Oversize server commands |
|
|
Bani
Is this for the server or the client?
And were does this (code)config need to go.
_________________
{Zer0}'s House of Torment 67.19.67.118:27960
{Zer0}'s RTCW server 67.19.67.119:27960
Now Lets Go Kick Some ASS
And thats an Order.
 |
|
| Back to top |
|
|
bani
Site Admin
Joined: 21 Jul 2002
Posts: 3685
|
| Posted: Mon Feb 02, 2004 9:09 pm Post subject: |
|
|
there is only one g_syscalls.c in the SDK and only one void trap_SendServerCommand in g_syscalls.c  |
|
| Back to top |
|
|
bani
Site Admin
Joined: 21 Jul 2002
Posts: 3685
|
| Posted: Tue Feb 03, 2004 2:22 am Post subject: |
|
|
| ok, the limit turned out to be 1022... documentation updated to reflect that. |
|
| Back to top |
|
|
spoon
Joined: 03 Feb 2003
Posts: 66
Location: San Antonio
|
| Posted: Tue Feb 03, 2004 7:08 am Post subject: |
|
|
No, DG. Yer right... you can't stick this into a pk3.  Basically, it's a fix for the source code, which means you need to get the wet_source package, find a compiler for Windows and Linux, and then rebuild the qagame so/DLL files.
And that's on the list of stuff bani mentioned they weren't going to cover.
The fix is already in etpro, and this is really only relevant if you're trying to make your own mod. |
|
| Back to top |
|
|
DG
Joined: 24 Jul 2003
Posts: 513
|
|
| Back to top |
|
|
spoon
Joined: 03 Feb 2003
Posts: 66
Location: San Antonio
|
| Posted: Tue Feb 03, 2004 7:21 am Post subject: |
|
|
DG: D'oh.
Any rate, I was just wondering...
After grep'ing through the source this weekend, I ran across SanitizeString() in g_cmds.c Could you just stick a bound check in there with something like
| Code: |
void SanitizeString( char *in, char* out, qboolean fToLower)
{
int cnt = 0;
while( *in && cnt++ < 1022 ) {
/* same stuff */
}
*out = 0;
}
|
Or am I overly optimistic in assuming that they call this func every time the game accepts string input from the user?  |
|
| Back to top |
|
|
ReyalP
Joined: 25 Jul 2003
Posts: 1663
|
| Posted: Tue Feb 03, 2004 4:16 pm Post subject: |
|
|
| spoon wrote: |
The fix is already in etpro, and this is really only relevant if you're trying to make your own mod. |
Just to clarify, it is not in 2.0.7. It is fixed in the NEXT version of ETPro.
_________________
send lawyers, guns and money |
|
| Back to top |
|
|
spoon
Joined: 03 Feb 2003
Posts: 66
Location: San Antonio
|
| Posted: Tue Feb 03, 2004 4:40 pm Post subject: |
|
|
Hrm. What I was thinking of was in the 2.0.7 announcement:
| Quote: |
bugfix: fix bug allowing spectators to crash the server - no, we arent going to tell you how to do it
|
So this was something else besides an overflow?
And the hits just keeeeeeeep on comin'. |
|
| Back to top |
|
|
ReyalP
Joined: 25 Jul 2003
Posts: 1663
|
| Posted: Wed Feb 04, 2004 6:41 pm Post subject: Re: BUGFIX: Oversize server commands |
|
|
| bani wrote: |
g_syscalls.c:
| Code: |
void trap_SendServerCommand( int clientNum, const char *text ) {
// rain - hack - commands over 1022 chars will crash the
// client upon receipt, so ignore them
if( strlen( text ) > 1022 ) {
G_LogPrintf( "trap_SendServerCommand( %d, ... ) length exceeds 1022.\n", clientNum );
G_LogPrintf( "text [%s]\n", text );
return;
}
syscall( G_SEND_SERVER_COMMAND, clientNum, text );
}
|
|
FWIW, G_LowPrintf will only print the first 1023 chars (includng timestamp) so the above will always be truncated, eating the \n and leaving the next log message on the same line. Not that it really matters...
_________________
send lawyers, guns and money |
|
| Back to top |
|
|
bani
Site Admin
Joined: 21 Jul 2002
Posts: 3685
|
| Posted: Wed Feb 04, 2004 7:48 pm Post subject: |
|
|
| you could always up the buffersize ... |
|
| Back to top |
|
|
Chruker
Joined: 26 Jun 2004
Posts: 12
|
| Posted: Tue Jun 29, 2004 10:15 am Post subject: |
|
|
| Wouldn't a length check of the string in G_LogPrintf be better, than just upping the buffer? |
|
| Back to top |
|
|
bani
Site Admin
Joined: 21 Jul 2002
Posts: 3685
|
| Posted: Tue Jun 29, 2004 10:25 am Post subject: |
|
|
| no. and we dont up the buffer either. |
|
| Back to top |
|
|
NYKiller
Joined: 18 Jul 2005
Posts: 17
|
| Posted: Sun Sep 11, 2005 2:12 pm Post subject: |
|
|
I dont get this How do you fix it like what are the steps you have to do?
_________________
Computer Specs
P4 2.6 MHz HT
Abit IC7-MAX3
2 Gig of Kingston
ATI Radeon X850 XT Plat
Sound Blaster Gamer
Sony 19in Flat 12 MS response
Thermal Take Case
 |
|
| Back to top |
|
|
WeblionX
Joined: 08 Sep 2002
Posts: 1163
Location: Tseaby
|
| Posted: Sun Sep 11, 2005 2:58 pm Post subject: |
|
|
You modify the source in your mod. What's this, you're making a mod and you don't know how to edit source? What, you're not making a mod?! Then what are you doing here?
_________________
Weblion "Th' Politically Inco'reck Tiger" X
If a VCR uses the 24-hour time format, does it still blink 12:00 after a power outage?
Pushing electrons since 1990
120VAC -> Ground == Bad |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
