From 47c9641939d84cfae249b38d2691d37ff84be817 Mon Sep 17 00:00:00 2001 From: ineed bots Date: Tue, 18 Apr 2023 20:54:40 -0600 Subject: [PATCH] Fix bad client reliableAcknowledge DOS exploit Having a reliableAcknowledge of 0x7FFFFFFF causes a massive loop to be executed in SV_UpdateServerCommandsToClient due to the + 1 overflow. --- code/server/sv_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/server/sv_client.c b/code/server/sv_client.c index 62d6456e..1d230c07 100644 --- a/code/server/sv_client.c +++ b/code/server/sv_client.c @@ -1917,7 +1917,7 @@ void SV_ExecuteClientMessage( client_t *cl, msg_t *msg ) { // NOTE: when the client message is fux0red the acknowledgement numbers // can be out of range, this could cause the server to send thousands of server // commands which the server thinks are not yet acknowledged in SV_UpdateServerCommandsToClient - if (cl->reliableAcknowledge < cl->reliableSequence - MAX_RELIABLE_COMMANDS) { + if ((cl->reliableSequence - cl->reliableAcknowledge >= MAX_RELIABLE_COMMANDS) || (cl->reliableSequence - cl->reliableAcknowledge < 0)) { // usually only hackers create messages like this // it is more annoying for them to let them hanging #ifndef NDEBUG