banimod / etpro / ettv forums Forum Index banimod / etpro / ettv forums
Bani's Discussion Forums
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

BUGFIX: Oversize server commands
Goto page 1, 2, 3  Next
 
Post new topic   Reply to topic    banimod / etpro / ettv forums Forum Index -> ET Modding
View previous topic :: View next topic  
Author Message
bani
Site Admin


Joined: 21 Jul 2002
Posts: 3685

PostPosted: Mon Feb 02, 2004 8:42 pm    Post subject: BUGFIX: Oversize server commands Reply with quote

superdug wrote:
The hack involves using a bufferoverflow in the sound system. A bind for a vsay is made, this vsay howerever seems to be larger than the buffer will allow and causing an immediate disconnect from all users connected to the server.


this isnt exactly correct. its not a buffer overflow of the buffer (or the server would crash).

it's basically the client engine being retarded. Cursing

if you send an oversize trap_sendservercommand(), the server happily sends the data to the client. however the client (engine, not cgame) expects server commands to never be > 1022 characters. so the client engine truncates the received servercommand at 1022, and the client engine interprets the next character in the server command string as a network command byte.

the client then gets totally confused at this point trying to interpret the rest of the string as raw network protocol, and blows up.

here's a true fix. basically it logs oversize commands and drops them on the floor. this will stop the vsay exploit, and any similar exploits in the future.

g_syscalls.c:
Code:

void trap_SendServerCommand( int clientNum, const char *text ) {
        // rain - hack - commands over 1022 chars will crash the
        // client upon receipt, so ignore them
        if( strlen( text ) > 1022 ) {
                G_LogPrintf( "trap_SendServerCommand( %d, ... ) length exceeds 1022.\n", clientNum );
                G_LogPrintf( "text [%s]\n", text );
                return;
        }
        syscall( G_SEND_SERVER_COMMAND, clientNum, text );
}


Last edited by bani on Sun Jun 12, 2005 3:13 pm; edited 2 times in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Badhabit



Joined: 26 Oct 2002
Posts: 332
Location: Boise, Idaho

PostPosted: Mon Feb 02, 2004 9:01 pm    Post subject: Re: BUGFIX: Oversize server commands Reply with quote

Bani
Is this for the server or the client?
And were does this (code)config need to go.
_________________
{Zer0}'s House of Torment 67.19.67.118:27960
{Zer0}'s RTCW server 67.19.67.119:27960
Now Lets Go Kick Some ASS
And thats an Order.
Back to top
View user's profile Send private message
bani
Site Admin


Joined: 21 Jul 2002
Posts: 3685

PostPosted: Mon Feb 02, 2004 9:09 pm    Post subject: Reply with quote

there is only one g_syscalls.c in the SDK and only one void trap_SendServerCommand in g_syscalls.c Razz
Back to top
View user's profile Send private message Send e-mail Visit poster's website
bani
Site Admin


Joined: 21 Jul 2002
Posts: 3685

PostPosted: Tue Feb 03, 2004 2:22 am    Post subject: Reply with quote

ok, the limit turned out to be 1022... documentation updated to reflect that.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
spoon



Joined: 03 Feb 2003
Posts: 66
Location: San Antonio

PostPosted: Tue Feb 03, 2004 7:08 am    Post subject: Reply with quote

No, DG. Yer right... you can't stick this into a pk3. Smile Basically, it's a fix for the source code, which means you need to get the wet_source package, find a compiler for Windows and Linux, and then rebuild the qagame so/DLL files.

And that's on the list of stuff bani mentioned they weren't going to cover. Smile

The fix is already in etpro, and this is really only relevant if you're trying to make your own mod.
Back to top
View user's profile Send private message Visit poster's website AIM Address
DG



Joined: 24 Jul 2003
Posts: 513

PostPosted: Tue Feb 03, 2004 7:09 am    Post subject: Reply with quote

oopsie i deleted and posted on SD forum instead Embarassed
_________________
Enemy Territory & RTCW UK
GamersNation
Back to top
View user's profile Send private message
spoon



Joined: 03 Feb 2003
Posts: 66
Location: San Antonio

PostPosted: Tue Feb 03, 2004 7:21 am    Post subject: Reply with quote

DG: D'oh. Smile

Any rate, I was just wondering...

After grep'ing through the source this weekend, I ran across SanitizeString() in g_cmds.c Could you just stick a bound check in there with something like

Code:

void SanitizeString( char *in, char* out, qboolean fToLower)
{
      int cnt = 0;
      while( *in && cnt++ < 1022 ) {
              /* same stuff */
      }
      *out = 0;
}


Or am I overly optimistic in assuming that they call this func every time the game accepts string input from the user? Sad
Back to top
View user's profile Send private message Visit poster's website AIM Address
ReyalP



Joined: 25 Jul 2003
Posts: 1663

PostPosted: Tue Feb 03, 2004 4:16 pm    Post subject: Reply with quote

spoon wrote:

The fix is already in etpro, and this is really only relevant if you're trying to make your own mod.

Just to clarify, it is not in 2.0.7. It is fixed in the NEXT version of ETPro.
_________________
send lawyers, guns and money
Back to top
View user's profile Send private message
spoon



Joined: 03 Feb 2003
Posts: 66
Location: San Antonio

PostPosted: Tue Feb 03, 2004 4:40 pm    Post subject: Reply with quote

Hrm. What I was thinking of was in the 2.0.7 announcement:

Quote:

bugfix: fix bug allowing spectators to crash the server - no, we arent going to tell you how to do it Smile


So this was something else besides an overflow? Sad

And the hits just keeeeeeeep on comin'.
Back to top
View user's profile Send private message Visit poster's website AIM Address
ReyalP



Joined: 25 Jul 2003
Posts: 1663

PostPosted: Wed Feb 04, 2004 6:41 pm    Post subject: Re: BUGFIX: Oversize server commands Reply with quote

bani wrote:

g_syscalls.c:
Code:

void trap_SendServerCommand( int clientNum, const char *text ) {
        // rain - hack - commands over 1022 chars will crash the
        // client upon receipt, so ignore them
        if( strlen( text ) > 1022 ) {
                G_LogPrintf( "trap_SendServerCommand( %d, ... ) length exceeds 1022.\n", clientNum );
                G_LogPrintf( "text [%s]\n", text );
                return;
        }
        syscall( G_SEND_SERVER_COMMAND, clientNum, text );
}

FWIW, G_LowPrintf will only print the first 1023 chars (includng timestamp) so the above will always be truncated, eating the \n and leaving the next log message on the same line. Not that it really matters...
_________________
send lawyers, guns and money
Back to top
View user's profile Send private message
bani
Site Admin


Joined: 21 Jul 2002
Posts: 3685

PostPosted: Wed Feb 04, 2004 7:48 pm    Post subject: Reply with quote

you could always up the buffersize ...
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Chruker



Joined: 26 Jun 2004
Posts: 12

PostPosted: Tue Jun 29, 2004 10:15 am    Post subject: Reply with quote

Wouldn't a length check of the string in G_LogPrintf be better, than just upping the buffer?
Back to top
View user's profile Send private message Visit poster's website
bani
Site Admin


Joined: 21 Jul 2002
Posts: 3685

PostPosted: Tue Jun 29, 2004 10:25 am    Post subject: Reply with quote

no. and we dont up the buffer either.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
NYKiller



Joined: 18 Jul 2005
Posts: 17

PostPosted: Sun Sep 11, 2005 2:12 pm    Post subject: Reply with quote

I dont get this How do you fix it like what are the steps you have to do?
_________________
Computer Specs
P4 2.6 MHz HT
Abit IC7-MAX3
2 Gig of Kingston
ATI Radeon X850 XT Plat
Sound Blaster Gamer
Sony 19in Flat 12 MS response
Thermal Take Case
Back to top
View user's profile Send private message
WeblionX



Joined: 08 Sep 2002
Posts: 1163
Location: Tseaby

PostPosted: Sun Sep 11, 2005 2:58 pm    Post subject: Reply with quote

You modify the source in your mod. What's this, you're making a mod and you don't know how to edit source? What, you're not making a mod?! Then what are you doing here?
_________________
Weblion "Th' Politically Inco'reck Tiger" X
If a VCR uses the 24-hour time format, does it still blink 12:00 after a power outage?
Pushing electrons since 1990
120VAC -> Ground == Bad
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    banimod / etpro / ettv forums Forum Index -> ET Modding All times are GMT - 8 Hours
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group