[LWN Logo]

Date:	Thu, 21 Jan 1999 20:41:07 -0600
From:	Signal 11 <signal11@MEDIAONE.NET>
Subject:      Re: Quake 2 Server Crash
To:	BUGTRAQ@NETSPACE.ORG

Leif Sawyer wrote:

> I haven't figured out any way to stop this overflow attack, but it doesn't
> seem
> to do much else but dump core.

I saw a similar problem in QuakeWorld, which Zoid fixed about a month later -
A user can set a variable name + value using the "set" command in the console
to an arbitrary length.  I stuck one about 100 char long into a string in
autoexec,
and loaded up my qwcl client.  It reliably crashed any server.  *that* bug has
since
been fixed long ago.

A new one I noted atleast as late as 3.19 (I think.), is a derivative.  Issue
the following
at a console for a plain-old CTF server:

msg 4
bind c "team red; team blue; team red;team blue;team red;team blue;team
red;team blue"

pop out of console and start hammering that C key.

In about 10-15 seconds, either all the players overflow and drop out of the
game, or
your screen jitters, the sound skips, and the server comes crashing down.

However, that doesn't help you much, as having only 2 players in the game
throws this
theory out. :/  No doubt it's a buffer-overflow on one of the client-settable
variables.
Maybe fov ?  qwcl also did *not* like negative values.  Quake2 might be
similar.
Now, back to fragging those stupid zbots...

But, I'm not a quake coder, so don't hold me to any of this. This was just
something
I discovered by accident.  It's been reported, but nobody at ID seems to care,
since
Quake Arena is due out soon....




--
signal11@mediaone.net | BOFH, Signal 11 Network | RSA encryption follows:
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`