6324 – A specially crafted client can change/send sv_serverid back to the server causing a new gamestate.

Bug 6324 - A specially crafted client can change/send sv_serverid back to the server causing a new gamestate.

Status:	RESOLVED FIXED

Alias:	None

Product:	ioquake3
Classification:	Unclassified
Component:	Misc
Version:	unspecified
Hardware:	All All

Importance:	P3 major
Assignee:	Zachary J. Slater
QA Contact:	ioquake3 bugzilla mailing list

URL:

Depends on:
Blocks:

Reported:	2014-09-30 15:40 EDT by ensiform
Modified:	2018-04-03 22:49:48 EDT
CC List:	1 user (show)

See Also:

Description ensiform 2014-09-30 15:40:53 EDT

If a malicious client changes the value of the recieved sv_serverid to be sent back during CL_WritePacket->SV_UserMove, they will be sent a new gamestate and reload the map without dying or causing clientdisconnect/begin.  No flags dropped etc either.

This is similar to the behavior of the `donedl` exploit.

I have no idea how to actually prevent spoofed values (when received back on the server) while retaining ability to allow the different serverid support for download code and map_restart.

Comment 1 ensiform 2014-09-30 15:53:34 EDT

Correction, it looks like the server receives the changed value back in SV_ExecuteClientMessage not SV_UserMove.

Comment 2 Zack Middleton 2018-04-03 22:49:48 EDT

Fixed in https://github.com/ioquake/ioq3/commit/b61e2998f3cd791d29dc5f6f8bb44394b5414cf2.

Top of page