From bugzilla-daemon at icculus.org Tue Sep 30 15:40:53 2014
From: bugzilla-daemon at icculus.org (bugzilla-daemon at icculus.org)
Date: Tue, 30 Sep 2014 19:40:53 +0000
Subject: [quake3-bugzilla] [Bug 6324] New: A specially crafted client can
change/send sv_serverid back to the server causing a new gamestate.
Message-ID:
https://bugzilla.icculus.org/show_bug.cgi?id=6324
Bug ID: 6324
Summary: A specially crafted client can change/send sv_serverid
back to the server causing a new gamestate.
Product: ioquake3
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P3
Component: Misc
Assignee: zachary at ioquake.org
Reporter: ensiform at gmail.com
QA Contact: quake3-bugzilla at icculus.org
If a malicious client changes the value of the recieved sv_serverid to be sent
back during CL_WritePacket->SV_UserMove, they will be sent a new gamestate and
reload the map without dying or causing clientdisconnect/begin. No flags
dropped etc either.
This is similar to the behavior of the `donedl` exploit.
I have no idea how to actually prevent spoofed values (when received back on
the server) while retaining ability to allow the different serverid support for
download code and map_restart.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From bugzilla-daemon at icculus.org Tue Sep 30 15:53:34 2014
From: bugzilla-daemon at icculus.org (bugzilla-daemon at icculus.org)
Date: Tue, 30 Sep 2014 19:53:34 +0000
Subject: [quake3-bugzilla] [Bug 6324] A specially crafted client can
change/send sv_serverid back to the server causing a new gamestate.
In-Reply-To:
References:
Message-ID:
https://bugzilla.icculus.org/show_bug.cgi?id=6324
--- Comment #1 from ensiform at gmail.com ---
Correction, it looks like the server receives the changed value back in
SV_ExecuteClientMessage not SV_UserMove.
--
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: