[quake3-bugzilla] [Bug 6324] New: A specially crafted client can change/send sv_serverid back to the server causing a new gamestate.

Tue Sep 30 15:40:53 EDT 2014

https://bugzilla.icculus.org/show_bug.cgi?id=6324

            Bug ID: 6324
           Summary: A specially crafted client can change/send sv_serverid
                    back to the server causing a new gamestate.
           Product: ioquake3
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P3
         Component: Misc
          Assignee: zachary at ioquake.org
          Reporter: ensiform at gmail.com
        QA Contact: quake3-bugzilla at icculus.org

If a malicious client changes the value of the recieved sv_serverid to be sent
back during CL_WritePacket->SV_UserMove, they will be sent a new gamestate and
reload the map without dying or causing clientdisconnect/begin.  No flags
dropped etc either.

This is similar to the behavior of the `donedl` exploit.

I have no idea how to actually prevent spoofed values (when received back on
the server) while retaining ability to allow the different serverid support for
download code and map_restart.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/quake3-bugzilla/attachments/20140930/e6b5ef05/attachment.html>