By Gamall
Date: 01-02-2008
*****************************************************************
** JEDI KNIGHT: Jedi Academy **
*****************************************************************
#-----------------------------------------------------------#
# TITLE : JK2 & JK3 Forcestring server crash Fix #
# #
# VERSION : 1.1a [BaseJKA Security Fix v1.1a] #
# AUTHOR : Gamall Wednesday Ida #
# E-MAIL : gamall.ida@gmail.com #
# WEBSITE : http://gamall-ida.com #
# #
# LICENSE : All code released under the #
# GNU General Public License #
# #
# FILESIZE : ~ 4 Mo #
# RELEASE DATE : December 2007 #
#-----------------------------------------------------------#
+ READ ME! (CONTACT)
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
Should you want to contact me, do NOT jump on my email, you
won't get an answer. Read the "CONTACT" section near the end of
that file instead ;-).
+ ABOUT THIS FILE
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
There are two parts to this file: The most important one is the
readme file you are presently reading, which describes the
vulnerability and the fix for both JK2 and JK3.
The second part is an update to my mod "BaseJKA Security Fix",
which uses said fix. The update provides both linux and Windows
binaries, and updated source-code files. See the mod's topic
for more information.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://gamall-ida.com/f/viewtopic.php?f=3&t=120
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ DESCRIPTION OF THE VULNERABILITY
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
This is a very old crash, which has been around since JK2.
Oddly enough, though it has been patched in several mods, there
doesn't seem to be anything relevant on the net describing the
bug and the ways to patch it. I didn't even hear of it until
very recently. Here is a full description of the bug and a fix
for it, destined to any modder who has not fixed that in their
mod yet:
BUG: In both JK2 and JKA, in source file game/w_force.c,
procedure void WP_InitForcePowers( gentity_t *ent ) fails to
perform proper sanity checks on "forcepowers" userinfo and may
crash when attempting to parse an incorrect force powers
string. [A mod compiled in DEBUG mode doesn't seem to be
vulnerable, though, but that's not really a good way to fix it
;-) ].
EXPLOIT: Any player can cause a server crash by setting his
forcepowers to an incorrect value. For instance, /kill then
"/set forcepowers 1337; wait 1 ; forcechanged" will result in a
server crash when joining the game again.
FIX: Write the missing sanity check. The fix I have written
should work on both JK2 and JKA, but I have only tested it on
the latter. It is integrated in my mod "BaseJKA Security Fix",
in version 1.1a.
+ THE FIX
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
FILE: w_force.c
FIND LINE:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
void WP_InitForcePowers( gentity_t *ent )
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
BEFORE, ADD:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
* Gamall Wednesday Ida
* Workaround Force crash
* License GPL.
*/
// if the force string is incorrect, this one will be used
char *gaGENERIC_FORCE = "7-1-033330000000000333";
// masks: no values outside these boundaries will be accepted
char *gaFORCE_LOWER = "0-1-000000000000000000";
char *gaFORCE_UPPER = "7-2-333333333333333333";
char* gaCheckForceString(char* s) {
char *p = s, *pu = gaFORCE_UPPER, *pl = gaFORCE_LOWER;
if (!s || strlen(s) != 22) return gaGENERIC_FORCE;
while(*p) {if (*p > *pu++ || *p++ < *pl++) {return gaGENERIC_FORCE;}}
return s;
}
// GWI: End Force Crash workaround.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FIND LINE: [end of declaration block of WP_InitForcePowers()]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
qboolean didEvent = qfalse;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
AFTER, ADD:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// GWI: force crash
char* temp;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FIND LINE:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Q_strncpyz( forcePowers, Info_ValueForKey (userinfo, "forcepowers"), sizeof( forcePowers ) );
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
AFTER, ADD:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// GWI: Force crash
temp = gaCheckForceString(forcePowers);
if (temp != forcePowers) {
trap_SendServerCommand(ent->client->pers.clientNum,
va("print \"^1Incorrect force string '%s'. Replaced by default.\n\"", forcePowers));
G_LogPrintf("FORCE CRASH: Client num %d tried to take incorrect forcestring '%s'.",
ent->client->pers.clientNum,
forcePowers);
Q_strncpyz( forcePowers, temp, sizeof( forcePowers ) );
} // End force crash workaround
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CONTACT / SUPPORT
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
If you need help or have suggestions, comments, insults, praise
or in general, anything to say about this program that you
expect me to read and answer to, please post on the program's
topic on my website:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://gamall-ida.com/f/viewtopic.php?f=3&t=356
OR (BaseJKA Security Fix's topic)
http://gamall-ida.com/f/viewtopic.php?f=3&t=120
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The only circumstance in which my personal email is the proper
way to contact me is when my website is down for maintenance
for a long time, which is very infrequent.
+ CREDITS:
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o +
Thanks to evan1715 for bringing the crash to my attention
(though he drives me mad :D)
A snippet of old code from MasterHex and Ensiform helped me
locate the problem. Thanks to them.
THIS MODIFICATION IS NOT MADE, DISTRIBUTED, OR SUPPORTED BY
ACTIVISION, RAVEN, OR LUCASARTS ENTERTAINMENT COMPANY LLC.
ELEMENTS TM & © LUCASARTS ENTERTAINMENT COMPANY LLC AND/OR ITS
LICENSORS.
+-----------------------------+
| File generated with 'GaTeX',|
| an ASCII typesetting system |
| by Gamall Wednesday Ida. |
| http://gamall-ida.com |
+-----------------------------+
Build: Fri Dec 21 18:35:53 2007
File : F:readme.GaTeX.source