lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <00cb01c57e81$7e360e80$0505a8c0@Slawek>
Date: Fri, 1 Jul 2005 23:11:45 +0200
From: "Slawek" <sgp@...satgp.com.pl>
To: "Luigi Auriemma" <aluigi@...istici.org>,
	<bugtraq@...urityfocus.com>, <bugs@...uritytracker.com>,
	<news@...uriteam.com>, <full-disclosure@...ts.grok.org.uk>,
	<vuln@...unia.com>
Subject: Re: In-game /ignore crash in Soldier of Fortune
	II 1.03


Hello!
In message to <bugtraq@...urityfocus.com>; <bugs@...uritytracker.com>; 
<news@...uriteam.com>; <full-disclosure@...ts.grok.org.uk>; 
<vuln@...unia.com> sent Wed, 29 Jun 2005 20:32:51 +0000 you wrote:


 LA> #######################################################################

 LA>                              Luigi Auriemma

 LA> Application:  Soldier of Fortune II
 LA>               http://sof2.ravensoft.com
 LA> Versions:     1.02x and 1.03
 LA> Platforms:    Windows, Linux and Mac
 LA> Bug:          bad memory access
 LA> Exploitation: remote, versus server (in-game)
 LA> Date:         29 Jun 2005
 LA> Author:       unknown, found in the wild and reported to me by two
 LA>               admins
 LA> Advisory:     Luigi Auriemma
 LA>               e-mail: aluigi@...istici.org
 LA>               web:    http://aluigi.altervista.org

[...]

 LA> ======
 LA> 4) Fix
 LA> ======

 LA> The game is no longer supported so there is no official fix.

 LA> The correct way for removing the problem is patching the bug into the
 LA> latest SDK available for the game (1.02 + 1.03) and recompiling it.
 LA> The patch consists in the adding of the following instruction in
 LA> g_cmds.c after "ignoree = atoi( buffer );" at line 1962:

 LA>   if(ignoree > MAX_GENTITIES) return;

I'm afraid it's not enough.

Unfortunatelly ignoree is declared "int" so you should test for negative 
values as well.
Also used table is MAX_GENTITIES long, so ignoree being equal MAX_GENTITIES 
is invalid.

Correct test should rather look like this:

if ((ignoree < 0) || (ignoree >= MAX_GENTITIES)) return;



------------------------------------------ 
Slawomir Piotrowski / Telsat GP
Rejestracja Czasu Pracy i Kontrola Dostepu
http://www.ewidencja-czasu-pracy.pl
------------------------------------------ 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ