reHLDS/rehlds
2
0
Fork 0
mirror of https://github.com/rehlds/rehlds.git synced 2025-02-26 21:41:06 +03:00
Code Issues Projects Releases Wiki Activity

Fix (Re)HLDS exploit (Can't use keys or values with a ")

Browse Source 
Assume two clients connect with the following string

```connect 48 12345678  \prot\2\unique\-1\raw\261578371d95a424925835ca44f82811   \cl_lw\1\cl_lc\1\*hltv\1\rate\10000\cl_updaterate\20\hspecs\0\hslots\0\hdelay\30\name\test"```

Name will be parsed as ```test"```

Then in ```SV_CheckForDuplicateNames```, ```Info_SetValueForKey``` will fail because of the quotes, and an infinite loop will occur.

I also added a check for ```\```, altough it's technically impossible to appear, it never hurts to be extra careful with this kind of client input.

TODO (by others sorry, really busy atm):
- Fix ```COM_Parse``` so that you can't inject quote marks. Other exploits may currently exist that also rely on this bug.
This commit is contained in:
IgnacioDM 2018-04-01 11:53:32 -03:00 committed by Alik Aslanyan
parent 822df9a92d
commit 19e3a5df56
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
rehlds/engine/sv_main.cpp
View File

@ -2121,7 +2121,11 @@ int SV_CheckUserInfo(netadr_t *adr, char *userinfo, qboolean bIsReconnecting, in
}
#endif
#ifdef REHLDS_FIXES
if (name[0] == 0 || !Q_stricmp(name, "console") || Q_strstr(name, "..") || Q_strstr(name, "\"") || Q_strstr(name, "\\"))
#else // REHLDS_FIXES
if (name[0] == 0 || !Q_stricmp(name, "console") || Q_strstr(name, "..") != NULL)
#endif // REHLDS_FIXES
{
Info_SetValueForKey(userinfo, "name", "unnamed", MAX_INFO_STRING);
}
@ -4902,7 +4906,7 @@ void SV_ExtractFromUserinfo(client_t *cl)
if (newname[0] == '\0' || !Q_stricmp(newname, "console")
#ifdef REHLDS_FIXES
|| Q_strstr(newname, "..") != NULL)
|| Q_strstr(newname, "..") || Q_strstr(newname, "\"") || Q_strstr(newname, "\\"))
#else // REHLDS_FIXES
)
#endif // REHLDS_FIXES