Bug 3027 - Improper checking of userinfo can lead to IP spoofing
Status: RESOLVED FIXED
Alias: None
Product: ioquake3
Classification: Unclassified
Component: Misc
Version: unspecified
Hardware: PC All
: P2 major
Assignee: Tim Angus
QA Contact: ioquake3 bugzilla mailing list
URL:
Depends on:
Blocks:
 
Reported: 2007-02-14 06:21 EST by Richard Stanway
Modified: 2007-05-21 11:23:19 EDT
1 user (show)

See Also:

Attachments
Patch against 898 (2.18 KB, patch)
2007-02-14 06:21 EST, Richard Stanway
svn1042 userinfo ip fix (2.79 KB, patch)
2007-02-14 17:36 EST, Tony J. White

Description Richard Stanway 2007-02-14 06:21:10 EST 
The server blindly trusts the "ip" key in SV_UserinfoChanged if it is set by the client, allowing a user to supply a fake "ip" key and bypass any game-based IP restrictions. Additionally, a malicious oversized userinfo string could cause the IP address added by the server to be truncated or missing entirely.

Bug discovered by vcxzet and Polly.
Comment 1 Richard Stanway 2007-02-14 06:21:48 EST 
Created attachment 1263 [details]
Patch against 898
Comment 2 Tony J. White 2007-02-14 17:36:48 EST 
Created attachment 1264 [details]
svn1042 userinfo ip fix


Mostly the same as R1CH's fix, but is more exact on what constitutes a userinfo string overflow.
Comment 3 Tony J. White 2007-02-14 18:15:49 EST 
Added at revision 1043
Comment 4 Ryan C. Gordon 2007-05-21 11:23:19 EDT 
Setting a QA contact on all ioquake3 bugs, even resolved ones. Sorry if you get a flood of email from this, it should only happen once. Apologies for the incovenience.

--ryan.