View Single Post
Old 10-02-2009, 08:50 PM   #214
-=*Raz0r*=-
Rookie
 
-=*Raz0r*=-'s Avatar
 
Join Date: Oct 2006
Location: Australia
Posts: 243
Quote:
Originally Posted by ensiform View Post
It appears any cvar that is part of userinfo is susceptible to being too large and thus making the userinfo string bigger than 1024 (which would likely cause the IP string and others too may not then be retrieved with trap_GetUserinfo(...) as it's not there because it was chopped off).

This can be a hazard because then ban checks cannot be performed. >.<
As mentioned after, we can check that the value does exist, and ban if not.


Quote:
Originally Posted by ensiform View Post
Fix: Well Luigi has a Windows only patch for it but I haven't heard it tested with q3 and its not supported by Linux.
I'm remember hearing there's a side-effect to that 'fix'


Quote:
Originally Posted by ensiform View Post
Check that there is indeed \ip\ in the string (You wouldn't want to also check for the value I guess because the value is lost after first connect.)
For those wondering how to do this, it's rather simple...
Head over to ClientConnect in g_client.c

Declare a variable like so:
Code:
char TmpIP[32] = {0};
Adapt some code early on in the function so it looks like this:
Code:
	// check to see if they are on the banned IP list
	value = Info_ValueForKey (userinfo, "ip");
	if (!isBot)
		Q_strncpyz( TmpIP, value, sizeof(TmpIP) ); // Used later
	if ( G_FilterPacket( value ) ) {
		return "Banned";
	}
Then after the G_ReadSessionData call, chuck in:
Code:
	if (firstTime && !isBot)
	{
		if(!TmpIP[0])
		{// No IP sent when connecting, probably an unban hack attempt
			client->pers.connected = CON_DISCONNECTED;
			return "Invalid userinfo detected";
		}
		Q_strncpyz(client->sess.IP, TmpIP, sizeof(client->sess.IP));
	}
You can then use client->sess.IP anywhere in the gameside code for whatever reason.


Another way to prevent q3infoboom would be to patch the engine.
I'm not allowed to 'release' the fix, but it involves hooking SV_ConnectionlessPacket and checking lengths..


Last edited by -=*Raz0r*=-; 10-31-2009 at 05:08 AM.
-=*Raz0r*=- is offline   you may: quote & reply,