JK2 & JK3 Forcestring server crash Fix

[Gamall]

ForceCrashFix.zip

(1.41 MiB) Downloaded 3796 times

Alternative code allowing uncanny force ranks : here

on Filefront : http://jediknight3.filefront.com/file/J ... _Fix;85487

Code: Select all

*****************************************************************
**                  JEDI KNIGHT: Jedi Academy                  **
*****************************************************************
 
  #-----------------------------------------------------------#  
  #      TITLE : JK2 & JK3 Forcestring server crash Fix       #  
  #                                                           #  
  #        VERSION : 1.1a [BaseJKA Security Fix v1.1a]        #  
  #               AUTHOR : Gamall Wednesday Ida               #  
  #               E-MAIL : gamall.ida@gmail.com               #  
  #              WEBSITE : http://gamall-ida.com              #  
  #                                                           #  
  #           LICENSE : All code released under the           #  
  #                GNU General Public License                 #  
  #                                                           #  
  #                     FILESIZE : ~ 4 Mo                     #  
  #               RELEASE DATE : December 2007                #  
  #-----------------------------------------------------------#  
 
 
 
+   READ ME! (CONTACT)                                           
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 
 Should  you  want  to  contact me, do NOT jump on my email, you 
 won't get an answer. Read the "CONTACT" section near the end of 
 that file instead ;-).                                          
 
 
+   ABOUT THIS FILE                                              
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 
 There are two parts to this file: The most important one is the 
 readme file you are  presently  reading,  which  describes  the 
 vulnerability   and   the   fix   for   both   JK2   and   JK3. 
                                                                 
 The second part is an update to my mod "BaseJKA Security  Fix", 
 which uses said fix. The update provides both linux and Windows 
 binaries,  and  updated  source-code files. See the mod's topic 
 for more information.                                           
 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
       http://gamall-ida.com/f/viewtopic.php?f=3&t=120
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
 
 
+   DESCRIPTION OF THE VULNERABILITY                             
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 
 This is a very old crash, which  has  been  around  since  JK2. 
 Oddly enough, though it has been patched in several mods, there 
 doesn't  seem to be anything relevant on the net describing the 
 bug and the ways to patch it. I didn't even hear  of  it  until 
 very  recently. Here is a full description of the bug and a fix 
 for it, destined to any modder who has not fixed that in  their 
 mod yet:                                                        
                                                                 
 BUG:  In  both  JK2  and  JKA,  in  source file game/w_force.c, 
 procedure void WP_InitForcePowers( gentity_t *ent  )  fails  to 
 perform  proper sanity checks on "forcepowers" userinfo and may 
 crash when  attempting  to  parse  an  incorrect  force  powers 
 string.  [A  mod  compiled  in  DEBUG  mode  doesn't seem to be 
 vulnerable, though, but that's not really a good way to fix  it 
 ;-) ].                                                          
                                                                 
 EXPLOIT:  Any  player  can  cause a server crash by setting his 
 forcepowers to an incorrect value.  For  instance,  /kill  then 
 "/set forcepowers 1337; wait 1 ; forcechanged" will result in a 
 server     crash     when     joining     the    game    again. 
                                                                 
 FIX: Write the missing sanity check. The  fix  I  have  written 
 should  work  on both JK2 and JKA, but I have only tested it on 
 the latter. It is integrated in my mod "BaseJKA Security  Fix", 
 in version 1.1a.                                                
 
 
+   THE FIX                                                      
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 
 FILE: w_force.c                                                 
 FIND LINE:                                                      
 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
       void WP_InitForcePowers( gentity_t *ent )
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
 
 BEFORE, ADD:                                                    
 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
       /*
        * Gamall Wednesday Ida
        * Workaround Force crash
        * License GPL.
        */
       
       // if the force string is incorrect, this one will be used
       char  *gaGENERIC_FORCE	= "7-1-033330000000000333";
       // masks: no values outside these boundaries will be accepted
       char  *gaFORCE_LOWER 	= "0-1-000000000000000000";
       char  *gaFORCE_UPPER 	= "7-2-333333333333333333";
       
       char* gaCheckForceString(char* s) {
           char *p = s, *pu = gaFORCE_UPPER, *pl = gaFORCE_LOWER;
           if (!s || strlen(s) != 22) return gaGENERIC_FORCE;
           while(*p) {if (*p > *pu++ || *p++ < *pl++) {return gaGENERIC_FORCE;}}
           return s;	
       }
       
       // GWI: End Force Crash workaround.
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
 
 FIND  LINE:  [end of declaration block of WP_InitForcePowers()] 
 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
         qboolean didEvent = qfalse;
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
 
 AFTER, ADD:                                                     
 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
       // GWI: force crash
       char* temp;
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
 
 FIND LINE:                                                      
 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
       Q_strncpyz( forcePowers, Info_ValueForKey (userinfo, "forcepowers"), sizeof( forcePowers ) );
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
 
 AFTER, ADD:                                                     
 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
       // GWI: Force crash
       temp = gaCheckForceString(forcePowers);
       if (temp != forcePowers) {
         trap_SendServerCommand(ent->client->pers.clientNum, 
             va("print \"^1Incorrect force string '%s'. Replaced by default.\n\"", forcePowers));
         G_LogPrintf("FORCE CRASH: Client num %d tried to take incorrect forcestring '%s'.",
                     ent->client->pers.clientNum, 
                     forcePowers);
         Q_strncpyz( forcePowers, temp, sizeof( forcePowers ) );
       } // End force crash workaround
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
 
 
+   CONTACT / SUPPORT                                            
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 
 If you need help or have suggestions, comments, insults, praise 
 or in general, anything to say  about  this  program  that  you 
 expect  me  to read and answer to, please post on the program's 
 topic on my website:                                            
 
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
       	http://gamall-ida.com/f/viewtopic.php?f=3&t=356
       	OR (BaseJKA Security Fix's topic)
       	http://gamall-ida.com/f/viewtopic.php?f=3&t=120
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~      
 
 The only circumstance in which my personal email is the  proper 
 way  to  contact  me is when my website is down for maintenance 
 for a long time, which is very infrequent.                      
 
 
+   CREDITS:                                                     
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-o          +
 
 Thanks to evan1715 for  bringing  the  crash  to  my  attention 
 (though he drives me mad :D)                                    
                                                                 
 A  snippet  of  old  code from MasterHex and Ensiform helped me 
 locate the problem. Thanks to them.                             
 
 THIS MODIFICATION IS NOT MADE,  DISTRIBUTED,  OR  SUPPORTED  BY 
 ACTIVISION,  RAVEN,  OR  LUCASARTS  ENTERTAINMENT  COMPANY LLC. 
 ELEMENTS TM & © LUCASARTS ENTERTAINMENT COMPANY LLC AND/OR ITS 
 LICENSORS.                                                      
 




























  +-----------------------------+
  | File generated with 'GaTeX',|
  | an ASCII typesetting system |
  | by  Gamall  Wednesday  Ida. |
  |   http://gamall-ida.com     |
  +-----------------------------+
  Build: Fri Dec 21 18:35:53 2007
  File : F:readme.GaTeX.source

[evan1715]

uh i believe it sort of fails on jk2... i try to change my force powers to a normal settings 200-1-230330000330000332 and 200-2-033330333000033333 which are both normal. The first one has all light force, regular, and saber force powers ('cause i put it on g_maxforcerank 200) and the second one is normal Jedi Master settings. May be in JK2 the force power numbers are different? But one thing is for sure, it does stop the crash!... and all your other force powers.

Error when trying crash:
FORCE CRASH: Client num 0 tried to take incorrect forcestring '1337'.
Well done.

[evan1715]

AH, I believe I just need to change the 1 char

char *gaFORCE_UPPER = "7-2-333333333333333333";
to like
char *gaFORCE_UPPER = "200-2-033330333000033333";
that should work o_O don't know why the difference between JA and JO but I'll try it and that should be good.

[Gamall]

('cause i put it on g_maxforcerank 200)

Isn't that some kind of a cheat ?

The "normal" value is 7, isn't it ? So on most servers, it shouldn't be a problem.

If that kind of setting is really wildspread, I'll post an alternative gaCheckForceString() code. Tomorrow

AH, I believe I just need to change the 1 char *gaFORCE_UPPER

Nope, won't work, it's a tad more complicated than that. It will still fail the length check . And changing the length check is not enough either, since the length has become variable. Like I said, I'll post updated code tomorrow

[evan1715]

('cause i put it on g_maxforcerank 200)

Isn't that some kind of a cheat ?

Nope, it's a regular command but its only supposed to go through 1 to 9, but if you put to 200, no smaller or it wont work, it'll give you 40,000 points to spend on your force powers, also known as getting all force powers.

The "normal" value is 7, isn't it ? So on most servers, it shouldn't be a problem.

read below.

If that kind of setting is really wildspread, I'll post an alternative gaCheckForceString() code. Tomorrow

no it isn't wide spread, like just a few servers have it on JK2 but I love having all force powers.

AH, I believe I just need to change the 1 char *gaFORCE_UPPER

Nope, won't work, it's a tad more complicated than that. It will still fail the length check . And changing the length check is not enough either, since the length has become variable. Like I said, I'll post updated code tomorrow

MMK!!! I just tested something, apparently the 7 you have is g_maxforcerank 7, thats why theres a 7 infront of it. If my g_maxforcerank is 200, it will say 200-1 or 2-48175981275812 so the beginning number is what ever the maxforcerank is.

[Gamall]

MMK!!! I just tested something, apparently the 7 you have is g_maxforcerank 7, thats why theres a 7 infront of it. If my g_maxforcerank is 200, it will say 200-1 or 2-48175981275812 so the beginning number is what ever the maxforcerank is.

It is the force rank

A quick googling will give you more info on the meaning of the force string: (here for jka)

7 - Jedi Master 6 Jedi Knight. etc...
then a -
1 - Light Side 2 Dark Side
then a -
then the following 18 columns:
1) Heal
2) Jump
3) Speed
4) Push
5) Pull
6) Mind Trick
7) Grip
8) Lightning
9) Dark Rage
10) Protect
11) Absorb
12) Team Heal
13) Team Force
14) Drain
15) Sight
16) Saver Offense
17) Saber Defense
18) Saber Throw

[evan1715]

A quick googling will give you more info on the meaning of the force string: (here for jka)

u know me and google

7 - Jedi Master 6 Jedi Knight. etc...
then a -
1 - Light Side 2 Dark Side............

Yeah, figured that out just now well yer, if you could find a way to allow g_maxforcerank 200, just do it so it only allows g_maxforcerank 200 if you want ALL force powers and just say that it has to be 200 in your readme, it'd be easier. But yeah I changed it to Jedi master and it works great. xD Well I suppose now first theory was wrong about JK2 and JKA having different numbers. Cheers.

[Gamall]

u know me and google

Unfortunately, I do

just do it so it only allows g_maxforcerank 200 if you want ALL force powers and just say that it has to be 200 in your readme, it'd be easier

That might be a good idea. But while I'm at it, I'll make it as general as possible, it will be cleaner.

But yeah I changed it to Jedi master and it works great. xD Well I suppose now first theory was wrong about JK2 and JKA having different numbers. Cheers.

Yes it was... fortunately for me

Bedtime here

[Gamall]

As promised, the updated code, which allows uncanny "g_maxforcerank" settings.

In my book, this is really a cheat, since it gives capabilities beyond what the game normally allows, but I understand the fun-factor in it

Code: Select all

/*
 * Gamall Wednesday Ida
 * Workaround Force crash
 * License GPL.
 *
 * Version modified to allow 'tweaked" settings
 * like "g_maxforcerank 200".
 */

char  *gaGENERIC_FORCE    = "7-1-033330000000000333";
char  *gaFORCE_LOWER     = "-1-000000000000000000";
char  *gaFORCE_UPPER     = "-2-333333333333333333";


char* gaCheckForceStringTail(char* s, char* S) {
    char *p = s, *pu = gaFORCE_UPPER, *pl = gaFORCE_LOWER;
    if (!s || strlen(s) != 21) return gaGENERIC_FORCE;
    while(*p) {if (*p > *pu++ || *p++ < *pl++) {return gaGENERIC_FORCE;}}
    return S;    
}

char* gaCheckForceString(char* S) {
    int i, l; char *p = S;
    if (!S || (l = strlen(S)) > 24 || l < 22  || *S < '0' || *S > '9') return gaGENERIC_FORCE;
    for(i = 1 ; i <= 3 ; i++) {
        if (S[i] == '-') return gaCheckForceStringTail(S+i, S);
        if (S[i] < '0' || S[i] > '9') break;
    } return gaGENERIC_FORCE;
}

// GWI: End Force Crash workaround.            

[evan1715]

...compiles...
...boots up...
...loads map...
...changing to maxforcerank 200...
...restarting map...
...setting force powers...
...works!!...

Results: Nice!! Seems to be working for me, thanks Gamall.

[evan1715]

OK, I have a bug.

OK, if you are Client 0 (usually the first person who connects) and some one else or you uses the force crash, only client 0 sees the message and not the proper person who is supposed to see it. So if Client 3 uses the crash, Client 0 sees the message and only Client 0. (if i did a bad explanation of this tell me lol)

and yes, clientNum is in g_local.h under persistant

[Gamall]

Nope, no bug, works fine on JKA.

Either JK2 works differently (don't think so) or you messed something up ( ).

Ar you absolutely positive you copied that part : "trap_SendServerCommand(ent->client->pers.clientNum," correctly ?

[evan1715]

yes of course i copied and pasted i guess it does work differently only JK2 because it's doing that on the client commands too, only letting Client 0 see it, and when other clients type /help Client 0 sees it

Code: Select all

          if (temp != forcePowers) {
 			trap_SendServerCommand(ent->client->pers.clientNum, va("print \"^5Incorrect force string '^2%s'^5. Replaced by default.\n\"", forcePowers));
			G_LogPrintf("FORCE CRASH: Client num %d tried to take incorrect forcestring '%s'.",
				ent->client->pers.clientNum, forcePowers);
			Q_strncpyz( forcePowers, temp, sizeof( forcePowers ) );
        }

oh and if client 3 does it, the g_logprintf says "FORCE CRASH: Client num 0 tried to take incorrect forcestring '1337'." thats when client 3 does it, it's blaming client 0! and still resets client 3's force powers not 0's

this doesn't make any sense because my anti flood works great, it sends the proper client the message whenever they try and flood

[Gamall]

yes of course i copied and pasted i guess it does work differently only JK2 because it's doing that on the client commands too, only letting Client 0 see it, and when other clients type /help Client 0 sees it

The client commands use ent->client->pers.clientNum too to get the client number. If that doesn't work in JK2...

Try replacing that by ent->s.clientNum, and see what it does

[evan1715]

ah ok it seems to be working, thanks again Gamall hehe now the client commands and force message works