Hello, Luigi Auriemma has already reported this about half a year ago, with
PoC. I got a patch that should take care of this. I set the max challenge size
to 128 to be on the safe side. It won't be able to make the infostring too
long, nor will it be too small for some challenge/response games out there, I
guess.
Thilo server # diff -u sv_main.old.c sv_main.c
--- sv_main.old.c 2005-09-01 03:27:27.000000000 +0200
+++ sv_main.c 2005-09-01 03:54:09.000000000 +0200
@@ -373,6 +373,15 @@
return;
}
+ /*
+ * Check whether Cmd_Argv(1) has a sane length. This was not done in
the original Quake3 version which led
+ * to the Infostring bug discovered by Luigi Auriemma. See
http://aluigi.altervista.org/ for the advisory.
+ */
+
+ // A maximum challenge length of 128 should be more than plenty.
+ if(strlen(Cmd_Argv(1)) > 128)
+ return;
+
// don't count privateclients
count = 0;
for ( i = sv_privateClients->integer ; i < sv_maxclients->integer ;
i++ ) {
Setting a QA contact on all ioquake3 bugs, even resolved ones. Sorry if you get a flood of email from this, it should only happen once. Apologies for the incovenience.
--ryan.
Hello, Luigi Auriemma has already reported this about half a year ago, with PoC. I got a patch that should take care of this. I set the max challenge size to 128 to be on the safe side. It won't be able to make the infostring too long, nor will it be too small for some challenge/response games out there, I guess. Thilo server # diff -u sv_main.old.c sv_main.c --- sv_main.old.c 2005-09-01 03:27:27.000000000 +0200 +++ sv_main.c 2005-09-01 03:54:09.000000000 +0200 @@ -373,6 +373,15 @@ return; } + /* + * Check whether Cmd_Argv(1) has a sane length. This was not done in the original Quake3 version which led + * to the Infostring bug discovered by Luigi Auriemma. See http://aluigi.altervista.org/ for the advisory. + */ + + // A maximum challenge length of 128 should be more than plenty. + if(strlen(Cmd_Argv(1)) > 128) + return; + // don't count privateclients count = 0; for ( i = sv_privateClients->integer ; i < sv_maxclients->integer ; i++ ) {Created attachment 773 [details] Patch to fix the bug. There we go ... cleanly in a file without random linebreaks.