New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix (Re)HLDS exploit (Can't use keys or values with a ") #595
Conversation
Assume two clients connect with the following string ```connect 48 12345678 \prot\2\unique\-1\raw\261578371d95a424925835ca44f82811 \cl_lw\1\cl_lc\1\*hltv\1\rate\10000\cl_updaterate\20\hspecs\0\hslots\0\hdelay\30\name\test"``` Name will be parsed as ```test"``` Then in ```SV_CheckForDuplicateNames```, ```Info_SetValueForKey``` will fail because of the quotes, and an infinite loop will occur. I also added a check for ```\```, altough it's technically impossible to appear, it never hurts to be extra careful with this kind of client input. TODO (by others sorry, really busy atm): - Fix ```COM_Parse``` so that you can't inject quote marks. Other exploits may currently exist that also rely on this bug.
Merging for now, because bug was disclosed. Btw I think there are better ways to fix this |
How do you think it should be fixed? |
Maybe it should be validated inside |
@WPMGPRoSToTeMa The existing validation in IMO the proper way to fix this is in |
@IgnacioFDM validation inside rehlds/rehlds/engine/sv_main.cpp Lines 2079 to 2085 in 19e3a5d
|
@WPMGPRoSToTeMa We can add |
The best way I think is to fix |
@WPMGPRoSToTeMa And I think we should return boolean value indicating success or failure for |
@In-line how do you want to use it in existing code? |
@WPMGPRoSToTeMa It's good for future usage. |
@In-line well maybe for proper error handling. |
Looks like checks for double backslash and for backslash at the end are also redundant because rehlds/rehlds/engine/sv_main.cpp Lines 2079 to 2085 in 19e3a5d
It is also interesting why quotes are prohibited, maybe because you can't input them into your userinfo via |
Remember that although I showed the exploit during connection, a user can change name (and other userinfo) while playing. |
You can check it yourself by typing |
@WPMGPRoSToTeMa |
@In-line what do you mean? |
@WPMGPRoSToTeMa I just wanted to share my pain with somebody (⌣_⌣”) |
@IgnacioFDM @WPMGPRoSToTeMa Please review #596 |
|
Assume two clients connect with the following string
connect 48 12345678 \prot\2\unique\-1\raw\261578371d95a424925835ca44f82811 \cl_lw\1\cl_lc\1\*hltv\1\rate\10000\cl_updaterate\20\hspecs\0\hslots\0\hdelay\30\name\test"
Name will be parsed as
test"
Then in
SV_CheckForDuplicateNames
,Info_SetValueForKey
will fail because of the quotes, and an infinite loop will occur.I also added a check for
\
. Altough it's technically impossible to appear, it never hurts to be extra careful with this kind of client input.TODO (by others, sorry, really busy atm):
COM_Parse
so that you can't inject quote marks. Other exploits may currently exist that also rely on this bug.