QuakeI client: serious holes.

Chris Evans (chris@FERRET.LMH.OX.AC.UK)
Wed, 08 Apr 1998 07:18:09 +0100

Hi,

As promised, more QuakeI holes. And I'd put no small number of pints on
the fact there are parallels in QW client and maybe Q2 client.

Basically, the client is careless at parsing certain server messages. This
includes but is by no means limited to:

1) List of precache paths. Each arbitrary length precache string the
server gives the client, is stuffed into a 64 byte buffer ON THE STACK.
Ouch. This conversation of precaching is part of connection.

2) Careless parsing of server name/address etc. when querying status.
Again strings are stuffed into fixed length buffers..

3) Server can as part of protocol give client arbitrary console command.
Of these, at least "map blahblah_bigger_than_64_chars" will cause a
buffer/stack overrun.

Scarily, at least 1) and 3) are still present in _latest_ quakeI client,
1.09, and will be cross-platform execute-arbitrary-code problems.

When will people learn to take especial care in parsing responses from
potentially malicious remote servers. (lynx, ncftp.. etc.)

Cheers
Chris