Bug 5452 - SV_ExecuteClientCommand() assumes the str length
Status: RESOLVED INVALID
Alias: None
Product: ioquake3
Classification: Unclassified
Component: Misc
Version: GIT MASTER
Hardware: PC Windows Vista
: P3 minor
Assignee: Zachary J. Slater
QA Contact: ioquake3 bugzilla mailing list
URL:
Depends on:
Blocks:
 
Reported: 2012-03-23 14:53 EDT by Gros Bedo
Modified: 2012-03-25 08:24:02 EDT
1 user (show)

See Also:


Description Gros Bedo 2012-03-23 14:53:35 EDT 
There is a potential bug that may crash the server in sv_client.c SV_ExecuteClientCommand() function:

if(strcmp(Cmd_Argv(0), "say") && strcmp(Cmd_Argv(0), "say_team") )
				Cmd_Args_Sanitize(); //remove \n, \r and ; from string. We don't do that for say-commands because it makes people mad (understandebly)
			VM_Call( gvm, GAME_CLIENT_COMMAND, cl - svs.clients );

The strcmp assumes the client command is at least 3 characters, but if it's below, it may crash the server. This should be converted to a Q_stricmp or a Q_strncmp.
Comment 1 Gros Bedo 2012-03-23 14:54:29 EDT 
Sorry this is not from the standard ioquake3. My bad.
Comment 2 Simon McVittie 2012-03-25 08:24:02 EDT 
For the record, that's not how strcmp() works - it stops comparing at the first "\0" in either string, so strcmp("", "say"), strcmp("x", "say") and strcmp("xx", "say") won't crash.