From: divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Tue, 22 May 2007 07:39:05 +0000 (+0000)
Subject: Reject clc_stringcmd with \r and \n in them; when developer is set, hex dump these... 
X-Git-Tag: xonotic-v0.1.0preview~3121
X-Git-Url: http://de.git.xonotic.org/?p=xonotic%2Fdarkplaces.git;a=commitdiff_plain;h=d6bd3b45d32a1a71a0ca410cbbc93b1e74b4faee

Reject clc_stringcmd with \r and \n in them; when developer is set, hex dump these commands.
Exception: \r and \n are allowed at the end of a clc_stringcmd, but get cut off before processing (DP builds from before yesterday did that with sentcvar commands).


git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@7335 d7cf8633-e32d-0410-b094-e92efae38249
---

diff --git a/sv_user.c b/sv_user.c
index ee039d13..86fca561 100644
--- a/sv_user.c
+++ b/sv_user.c
@@ -717,7 +717,7 @@ extern sizebuf_t vm_tempstringsbuf;
 void SV_ReadClientMessage(void)
 {
 	int cmd, num, start;
-	char *s;
+	char *s, *p, *q;
 
 	//MSG_BeginReading ();
 	sv_numreadmoves = 0;
@@ -759,6 +759,21 @@ void SV_ReadClientMessage(void)
 
 		case clc_stringcmd:
 			s = MSG_ReadString ();
+			q = NULL;
+			for(p = s; *p; ++p) switch(*p)
+			{
+				case 10:
+				case 13:
+					if(!q)
+						q = p;
+					break;
+				default:
+					if(q)
+						goto clc_stringcmd_invalid; // newline seen, THEN something else -> possible exploit
+					break;
+			}
+			if(q)
+				*q = 0;
 			if (strncasecmp(s, "spawn", 5) == 0
 			 || strncasecmp(s, "begin", 5) == 0
 			 || strncasecmp(s, "prespawn", 8) == 0)
@@ -776,6 +791,12 @@ void SV_ReadClientMessage(void)
 				Cmd_ExecuteString (s, src_client);
 			break;
 
+clc_stringcmd_invalid:
+			Con_Printf("Received invalid stringcmd from %s\n", host_client->name);
+			if(developer.integer)
+				Com_HexDumpToConsole((unsigned char *) s, strlen(s));
+			break;
+
 		case clc_disconnect:
 			SV_DropClient (false); // client wants to disconnect
 			return;