[LWN Logo]

Date:	Wed, 20 Jan 1999 11:32:53 -0900
From:	Leif Sawyer <lsawyer@GCI.COM>
Subject:      Quake 2 Server Crash
To:	BUGTRAQ@NETSPACE.ORG

As the admin of a number of quake servers, I get a lot of grief when
the servers stop responding.  So imagine my shock today when I found
this in the log files:

(this occurrs multiple times for multiple crashes)
***
------- Server Initialization -------
Lithium II Mod v1.23
Map: q2dm1  Clients: 0  Mode: DM
-------------------------------------
[TIMESTAMP] Wed Jan 20 00:57:32 1999
I.Crash.Servers connected
I.Crash.Servers entered the game (clients = 1)
Jim connected
I.Crash.Servers: isnt that cool?
Jim entered the game (clients = 2)
I.Crash.Servers:
f8.4066308.801916-1.997275255795727776554871684441501993271851
9261309972204529857042804295557369695379254160160904297030785333441191234036
372
2499905328180655146669812558216724401294487295256574001965593672278165930946
719
3302374718244644559434141982001968511670514876416.00000036203864208242065706
466
1081185321877918727462818352478172131544629258886053999628422250104238529930
351
3551062118684114774264001292444408779478784277297190716136058182749928079155
891
9394960823549936938384302198920503798602255236931094287764296569603621788156
166
144.000000113657843383457536412624131570413790616376014830719891410806832006
410
5647602260490606393886304550213680577198197497079229103864544867746075566174
424
8634118857431357303292149281287307264.00000011365826244271748860700812453324
708
2259369610998609036742327423814951455723993612423911582418642120996935351355
297
28494071527092059706478174739780605033959907590230450330932499955318784.0000
001
1365826244271748860700812453324708225936961099860903674232742381495145572399
361
2423911582418642120996935351355297284940715270920597064781747397806050339599
075
90230450330932499955318784
.000000907590230450330932499955318784.00000090.000000000.000000000
%.073741824.00000090.000000000.000000000
%.Master server at 204.182.161.3:27900

***

This causes Dr. Watson to dump out a lot of fun information, which I've
already
forwarded to id software.

I haven't figured out any way to stop this overflow attack, but it doesn't
seem
to do much else but dump core.

I have not attempted to replicate this to other server platforms, but my
guess
is that they would also dump.

--
Leif Sawyer
leif@gci.net  ||  lsawyer@gci.com  ||  internic: LS2540
(907) 267 - 0116   ||  ICQ - 3749190  || http://home.gci.net/~leif
Internet System Administrator -- General Communications Inc.
PGP Fingerprint: 77 C8 34 B8 FD BC C6 32  5F FE 93 4B AE 6C F7 4E