Hi, I've looked into the recently reported QuakeWorld server hole for "exploitability" other than DoS. It seems the smashed buffer is a static one rather than one on the stack; when we use a very large string full of 'A' to fill the buffer with, we don't get a crash due to execution at address 0x41414141. Indeed instead we find we have trashed some structures with pointers in. The eventual crash is due to a defererence of 0x10+(0x41414141), in the function "Z_CheckHeap()". The actual structure corrupted is called "mainzone", and the actual buffer smashed is called "com_token" and appears to be exactly 1024 bytes long. If, as you say, an ID Software employee has ignored your reports of this bug, then that is _very_ poor. Cheers Chris
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:48:21 PDT