Hi, As promised, more QuakeI holes. And I'd put no small number of pints on the fact there are parallels in QW client and maybe Q2 client. Basically, the client is careless at parsing certain server messages. This includes but is by no means limited to: 1) List of precache paths. Each arbitrary length precache string the server gives the client, is stuffed into a 64 byte buffer ON THE STACK. Ouch. This conversation of precaching is part of connection. 2) Careless parsing of server name/address etc. when querying status. Again strings are stuffed into fixed length buffers.. 3) Server can as part of protocol give client arbitrary console command. Of these, at least "map blahblah_bigger_than_64_chars" will cause a buffer/stack overrun. Scarily, at least 1) and 3) are still present in _latest_ quakeI client, 1.09, and will be cross-platform execute-arbitrary-code problems. When will people learn to take especial care in parsing responses from potentially malicious remote servers. (lynx, ncftp.. etc.) Cheers Chris
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:48:22 PDT