JKA No "ingame crash" patch
Posted: Sat Mar 17, 2007 2:38 am
FILE OUTDATED: NEW VERSION OFFERS PROTECTION AGAINST FAKE PLAYER ATTACKS
New version viewtopic.php?t=120
New version viewtopic.php?t=120
Code: Select all
***********************************
Jedi Knight: Jedi Academy
***********************************
TITLE: No "ingame crash" patch
AUTHOR: Gamall
E-MAIL: gamall.ida@gmail.com
WEBSITE: http://gamall-ida.com
FILENAME Windows : nocrash_Win.pk3
FILENAME Linux : jampgamei386.so
FILESIZE: < 2 Mo
DATE RELEASED: 18 March 2007
CREDITS:
Kudos to Trimbo for his linux-ready version of the vanillia SDK.
INSTALLATION INSTRUCTIONS:
Just put it in your server's base folder.
DESCRIPTION:
-> Removes the vulnerability to the say/tell "aaaaaaaaaaaaaaaaaaaaaaaaa... attack, also known as ingame buffer overflow attack, in unmodified baseJKA, by truncating too long say entries and blocking too long server commands.
Just remember to use a patched (linux)jampded[.exe] as well, and your server shall be impervious to malicious crashes.
-> Logs say/tell/server overflows into the server logs, with name and id of offending client.
-> Does not alter ANY aspect of basejka past that.
-> Damages MAY be slightly altered for Linux servers. This is a consequence of the fact that I compiled with GCC instead of ICC. Most people won't notice it though. I sure wouldn't :P
COMMENTS: This is not very original, and has probably been done to the death already, but I couldn't find a fix that works on Linux on the net when someone asked me about it... so here it is.
If someone has ICC and is willing to compile a so with it, please contact me :)
///////////////////////////////////////////////////////////////
MODIFIED CODE : (from jka-universalSource, linux-ready SDK.)
void trap_SendServerCommand( int clientNum, const char *text ) {
/* Gamall : This bit should protect the clients... */
if(strlen(text) > 1022)
{
G_LogPrintf( "Gamall : Client %s sent too long a command...\n", clientNum );
G_LogPrintf( "Sent command : [%s]\n", text );
G_LogPrintf( "Total length : %d \n", strlen(text)) ;
return;
}
/* Gamall : END OF FIX */
syscall( G_SEND_SERVER_COMMAND, clientNum, text );
}
/*
==================
Cmd_Say_f
==================
*/
static void Cmd_Say_f( gentity_t *ent, int mode, qboolean arg0 ) {
char *p;
if ( trap_Argc () < 2 && !arg0 ) {
return;
}
if (arg0)
{
p = ConcatArgs( 0 );
}
else
{
p = ConcatArgs( 1 );
}
/* FIX Gamall : This bit should prevent crashes... */
if ( strlen(p) > 150 )
{
p[149] = 0 ;
G_LogPrintf("ANTI CRASH : Cmd_Say_f entry from client %s (%d) has been truncated\n", ent->client->pers.netname, ent->s.number);
}
/* END OF FIX */
G_Say( ent, NULL, mode, p );
}
/*
==================
Cmd_Tell_f
==================
*/
static void Cmd_Tell_f( gentity_t *ent ) {
int targetNum;
gentity_t *target;
char *p;
char arg[MAX_TOKEN_CHARS];
if ( trap_Argc () < 2 ) {
return;
}
trap_Argv( 1, arg, sizeof( arg ) );
targetNum = atoi( arg );
if ( targetNum < 0 || targetNum >= level.maxclients ) {
return;
}
target = &g_entities[targetNum];
if ( !target || !target->inuse || !target->client ) {
return;
}
p = ConcatArgs( 2 );
/* FIX Gamall : This bit should prevent crashes... */
if ( strlen(p) > 150 )
{
p[149] = 0 ;
G_LogPrintf("ANTI CRASH : Cmd_Tell_f entry from client %s (%d) has been truncated\n", ent->client->pers.netname, ent->s.number);
}
/* END OF FIX */
G_LogPrintf( "tell: %s to %s: %s\n", ent->client->pers.netname, target->client->pers.netname, p );
G_Say( ent, target, SAY_TELL, p );
// don't tell to the player self if it was already directed to this player
// also don't send the chat back to a bot
if ( ent != target && !(ent->r.svFlags & SVF_BOT)) {
G_Say( ent, ent, SAY_TELL, p );
}
}
I also removed the improbable powf function, which, apart from yielding a result different from what its name implies, prevents compilation under VC++ 8, for reasons that are quite beyond me since its syntactically correct... Its not used anywhere in the code anyway... I'm quite puzzled by this thing... Bha...
/*
Gamall : Removed this so as to
allow compilation with VC++ 8.
*/
//float powf ( float x, int y )
//{
// float r = x;
// for ( y--; y>0; y-- )
// r = r * r;
// return r;
//}
THIS MODIFICATION IS NOT MADE, DISTRIBUTED, OR SUPPORTED BY ACTIVISION, RAVEN, OR
LUCASARTS ENTERTAINMENT COMPANY LLC. ELEMENTS TM & © LUCASARTS
ENTERTAINMENT COMPANY LLC AND/OR ITS LICENSORS.