BUGFIX: Oversize server commands

Discussions about ET modding (sdk code, player/weapon modeling)

Moderators: Forum moderators, developers

User avatar
bani
Site Admin
Posts: 2780
Joined: Sun Jul 21, 2002 3:58 am
Contact:

BUGFIX: Oversize server commands

Post by bani »

superdug wrote:The hack involves using a bufferoverflow in the sound system. A bind for a vsay is made, this vsay howerever seems to be larger than the buffer will allow and causing an immediate disconnect from all users connected to the server.
this isnt exactly correct. its not a buffer overflow of the buffer (or the server would crash).

it's basically the client engine being retarded. :curse:

if you send an oversize trap_sendservercommand(), the server happily sends the data to the client. however the client (engine, not cgame) expects server commands to never be > 1022 characters. so the client engine truncates the received servercommand at 1022, and the client engine interprets the next character in the server command string as a network command byte.

the client then gets totally confused at this point trying to interpret the rest of the string as raw network protocol, and blows up.

here's a true fix. basically it logs oversize commands and drops them on the floor. this will stop the vsay exploit, and any similar exploits in the future.

g_syscalls.c:

Code: Select all

void trap_SendServerCommand( int clientNum, const char *text ) {
        // rain - hack - commands over 1022 chars will crash the
        // client upon receipt, so ignore them
        if( strlen( text ) > 1022 ) {
                G_LogPrintf( "trap_SendServerCommand( %d, ... ) length exceeds 1022.\n", clientNum );
                G_LogPrintf( "text [%s]\n", text );
                return;
        }
        syscall( G_SEND_SERVER_COMMAND, clientNum, text );
}
Last edited by bani on Sun Jun 12, 2005 3:13 pm, edited 2 times in total.
User avatar
Badhabit
Posts: 312
Joined: Sat Oct 26, 2002 9:09 pm
Location: Boise, Idaho

Re: BUGFIX: Oversize server commands

Post by Badhabit »

Bani
Is this for the server or the client?
And were does this (code)config need to go.
{Zer0}'s House of Torment 67.19.67.118:27960
{Zer0}'s RTCW server 67.19.67.119:27960
Now Lets Go Kick Some ASS
And thats an Order.
Image
User avatar
bani
Site Admin
Posts: 2780
Joined: Sun Jul 21, 2002 3:58 am
Contact:

Post by bani »

there is only one g_syscalls.c in the SDK and only one void trap_SendServerCommand in g_syscalls.c :P
User avatar
bani
Site Admin
Posts: 2780
Joined: Sun Jul 21, 2002 3:58 am
Contact:

Post by bani »

ok, the limit turned out to be 1022... documentation updated to reflect that.
spoon
Posts: 48
Joined: Mon Feb 03, 2003 5:51 pm
Location: San Antonio
Contact:

Post by spoon »

No, DG. Yer right... you can't stick this into a pk3. :) Basically, it's a fix for the source code, which means you need to get the wet_source package, find a compiler for Windows and Linux, and then rebuild the qagame so/DLL files.

And that's on the list of stuff bani mentioned they weren't going to cover. :)

The fix is already in etpro, and this is really only relevant if you're trying to make your own mod.
DG
Posts: 513
Joined: Thu Jul 24, 2003 4:16 am

Post by DG »

oopsie i deleted and posted on SD forum instead :oops:
spoon
Posts: 48
Joined: Mon Feb 03, 2003 5:51 pm
Location: San Antonio
Contact:

Post by spoon »

DG: D'oh. :)

Any rate, I was just wondering...

After grep'ing through the source this weekend, I ran across SanitizeString() in g_cmds.c Could you just stick a bound check in there with something like

Code: Select all

void SanitizeString( char *in, char* out, qboolean fToLower)
{
      int cnt = 0;
      while&#40; *in && cnt++ < 1022 &#41; &#123;
              /* same stuff */
      &#125;
      *out = 0;
&#125;
Or am I overly optimistic in assuming that they call this func every time the game accepts string input from the user? :(
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Post by ReyalP »

spoon wrote: The fix is already in etpro, and this is really only relevant if you're trying to make your own mod.
Just to clarify, it is not in 2.0.7. It is fixed in the NEXT version of ETPro.
send lawyers, guns and money
spoon
Posts: 48
Joined: Mon Feb 03, 2003 5:51 pm
Location: San Antonio
Contact:

Post by spoon »

Hrm. What I was thinking of was in the 2.0.7 announcement:
bugfix: fix bug allowing spectators to crash the server - no, we arent going to tell you how to do it :)
So this was something else besides an overflow? :(

And the hits just keeeeeeeep on comin'.
User avatar
ReyalP
Posts: 1663
Joined: Fri Jul 25, 2003 11:44 am

Re: BUGFIX: Oversize server commands

Post by ReyalP »

bani wrote: g_syscalls.c:

Code: Select all

void trap_SendServerCommand&#40; int clientNum, const char *text &#41; &#123;
        // rain - hack - commands over 1022 chars will crash the
        // client upon receipt, so ignore them
        if&#40; strlen&#40; text &#41; > 1022 &#41; &#123;
                G_LogPrintf&#40; "trap_SendServerCommand&#40; %d, ... &#41; length exceeds 1022.\n", clientNum &#41;;
                G_LogPrintf&#40; "text &#91;%s&#93;\n", text &#41;;
                return;
        &#125;
        syscall&#40; G_SEND_SERVER_COMMAND, clientNum, text &#41;;
&#125;
FWIW, G_LowPrintf will only print the first 1023 chars (includng timestamp) so the above will always be truncated, eating the \n and leaving the next log message on the same line. Not that it really matters...
send lawyers, guns and money
User avatar
bani
Site Admin
Posts: 2780
Joined: Sun Jul 21, 2002 3:58 am
Contact:

Post by bani »

you could always up the buffersize ...
Chruker
Posts: 12
Joined: Sat Jun 26, 2004 12:28 pm
Contact:

Post by Chruker »

Wouldn't a length check of the string in G_LogPrintf be better, than just upping the buffer?
User avatar
bani
Site Admin
Posts: 2780
Joined: Sun Jul 21, 2002 3:58 am
Contact:

Post by bani »

no. and we dont up the buffer either.
NYKiller
Posts: 17
Joined: Mon Jul 18, 2005 5:53 pm

Post by NYKiller »

I dont get this How do you fix it like what are the steps you have to do?
Computer Specs
P4 2.6 MHz HT
Abit IC7-MAX3
2 Gig of Kingston
ATI Radeon X850 XT Plat
Sound Blaster Gamer
Sony 19in Flat 12 MS response
Thermal Take Case
Image
User avatar
WeblionX
Posts: 762
Joined: Sun Sep 08, 2002 1:03 pm
Contact:

Post by WeblionX »

You modify the source in your mod. What's this, you're making a mod and you don't know how to edit source? What, you're not making a mod?! Then what are you doing here?
Got any old idtech3 tutorials you made or saved? Send them my way.
Post Reply