Reject clc_stringcmd with \r and \n in them; when developer is set, hex dump these...
authordivverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Tue, 22 May 2007 07:39:05 +0000 (07:39 +0000)
committerdivverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Tue, 22 May 2007 07:39:05 +0000 (07:39 +0000)
Exception: \r and \n are allowed at the end of a clc_stringcmd, but get cut off before processing (DP builds from before yesterday did that with sentcvar commands).

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@7335 d7cf8633-e32d-0410-b094-e92efae38249

sv_user.c

index ee039d1..86fca56 100644 (file)
--- a/sv_user.c
+++ b/sv_user.c
@@ -717,7 +717,7 @@ extern sizebuf_t vm_tempstringsbuf;
 void SV_ReadClientMessage(void)
 {
        int cmd, num, start;
-       char *s;
+       char *s, *p, *q;
 
        //MSG_BeginReading ();
        sv_numreadmoves = 0;
@@ -759,6 +759,21 @@ void SV_ReadClientMessage(void)
 
                case clc_stringcmd:
                        s = MSG_ReadString ();
+                       q = NULL;
+                       for(p = s; *p; ++p) switch(*p)
+                       {
+                               case 10:
+                               case 13:
+                                       if(!q)
+                                               q = p;
+                                       break;
+                               default:
+                                       if(q)
+                                               goto clc_stringcmd_invalid; // newline seen, THEN something else -> possible exploit
+                                       break;
+                       }
+                       if(q)
+                               *q = 0;
                        if (strncasecmp(s, "spawn", 5) == 0
                         || strncasecmp(s, "begin", 5) == 0
                         || strncasecmp(s, "prespawn", 8) == 0)
@@ -776,6 +791,12 @@ void SV_ReadClientMessage(void)
                                Cmd_ExecuteString (s, src_client);
                        break;
 
+clc_stringcmd_invalid:
+                       Con_Printf("Received invalid stringcmd from %s\n", host_client->name);
+                       if(developer.integer)
+                               Com_HexDumpToConsole((unsigned char *) s, strlen(s));
+                       break;
+
                case clc_disconnect:
                        SV_DropClient (false); // client wants to disconnect
                        return;