this isnt exactly correct. its not a buffer overflow of the buffer (or the server would crash).superdug wrote:The hack involves using a bufferoverflow in the sound system. A bind for a vsay is made, this vsay howerever seems to be larger than the buffer will allow and causing an immediate disconnect from all users connected to the server.
it's basically the client engine being retarded.

if you send an oversize trap_sendservercommand(), the server happily sends the data to the client. however the client (engine, not cgame) expects server commands to never be > 1022 characters. so the client engine truncates the received servercommand at 1022, and the client engine interprets the next character in the server command string as a network command byte.
the client then gets totally confused at this point trying to interpret the rest of the string as raw network protocol, and blows up.
here's a true fix. basically it logs oversize commands and drops them on the floor. this will stop the vsay exploit, and any similar exploits in the future.
g_syscalls.c:
Code: Select all
void trap_SendServerCommand( int clientNum, const char *text ) {
// rain - hack - commands over 1022 chars will crash the
// client upon receipt, so ignore them
if( strlen( text ) > 1022 ) {
G_LogPrintf( "trap_SendServerCommand( %d, ... ) length exceeds 1022.\n", clientNum );
G_LogPrintf( "text [%s]\n", text );
return;
}
syscall( G_SEND_SERVER_COMMAND, clientNum, text );
}