search

Unity-Technologies / qstat

New official qstat repository
Artistic License 2.0
121 stars 33 forks source link

Buffer overflow on UT2004 server query (GameSpy server protocol) (xform-related bug) #11

Closed illwieckz closed 9 years ago

illwieckz commented 9 years ago

Hi, when I try to query a gamespy-like master server for ut2004 servers, I get a buffer overflow:

$ qstat -gsm,ut2004 gsm.qtracker.com:28900
ADDRESS           PLAYERS      MAP   RESPONSE TIME    NAME
GSM gsm.qtracker.com:28900 374 servers      0 / 0
GPS  95.156.230.71:6010     0/20  0/0  DM-{GGMJ}_TheCave     55 / 0  xDeathMatch -INSTAGIB- **FUN ART 2 KILL** - by DNW
GPS  87.98.169.25:7787      8/16  0/0  XMP-Garden     58 / 0  XMPGame -UTXMP Server-
GPS  85.214.237.40:7187     0/26  0/0  AS-ChocolateFactory     96 / 0  ASGameInfo }GBD{ Battlefield Assault 24/7
*** buffer overflow detected ***: qstat terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x78c4e)[0x7ff766be0c4e]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ff766c80e8c]
/lib/x86_64-linux-gnu/libc.so.6(+0x116e80)[0x7ff766c7ee80]
/lib/x86_64-linux-gnu/libc.so.6(+0x1163d9)[0x7ff766c7e3d9]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0x80)[0x7ff766be43a0]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x3e42)[0x7ff766bb5a62]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x84)[0x7ff766c7e464]
/lib/x86_64-linux-gnu/libc.so.6(__sprintf_chk+0x7d)[0x7ff766c7e3bd]
qstat[0x4043a7]
qstat[0x40a98b]
qstat[0x41ca85]
qstat[0x41dd34]
qstat[0x41df45]
qstat[0x41f6b5]
qstat[0x402333]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7ff766b88a40]
qstat[0x403829]
======= Memory map: ========
00400000-00445000 r-xp 00000000 fc:02 219994                             /usr/bin/qstat
00645000-00646000 r--p 00045000 fc:02 219994                             /usr/bin/qstat
00646000-0064c000 rw-p 00046000 fc:02 219994                             /usr/bin/qstat
0064c000-0065a000 rw-p 00000000 00:00 0 
01b3e000-01ba1000 rw-p 00000000 00:00 0                                  [heap]
7ff765c88000-7ff765c9e000 r-xp 00000000 fc:02 6030633                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ff765c9e000-7ff765e9d000 ---p 00016000 fc:02 6030633                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ff765e9d000-7ff765e9e000 rw-p 00015000 fc:02 6030633                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7ff765e9f000-7ff766120000 rw-p 00000000 00:00 0 
7ff766120000-7ff766137000 r-xp 00000000 fc:02 6030600                    /lib/x86_64-linux-gnu/libresolv-2.21.so
7ff766137000-7ff766337000 ---p 00017000 fc:02 6030600                    /lib/x86_64-linux-gnu/libresolv-2.21.so
7ff766337000-7ff766339000 r--p 00017000 fc:02 6030600                    /lib/x86_64-linux-gnu/libresolv-2.21.so
7ff766339000-7ff76633a000 rw-p 00019000 fc:02 6030600                    /lib/x86_64-linux-gnu/libresolv-2.21.so
7ff76633a000-7ff76633c000 rw-p 00000000 00:00 0 
7ff766340000-7ff766345000 r-xp 00000000 fc:02 6030622                    /lib/x86_64-linux-gnu/libnss_dns-2.21.so
7ff766345000-7ff766544000 ---p 00005000 fc:02 6030622                    /lib/x86_64-linux-gnu/libnss_dns-2.21.so
7ff766544000-7ff766545000 r--p 00004000 fc:02 6030622                    /lib/x86_64-linux-gnu/libnss_dns-2.21.so
7ff766545000-7ff766546000 rw-p 00005000 fc:02 6030622                    /lib/x86_64-linux-gnu/libnss_dns-2.21.so
7ff766548000-7ff76654a000 r-xp 00000000 fc:02 6029916                    /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7ff76654a000-7ff766749000 ---p 00002000 fc:02 6029916                    /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7ff766749000-7ff76674a000 r--p 00001000 fc:02 6029916                    /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7ff76674a000-7ff76674b000 rw-p 00002000 fc:02 6029916                    /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
7ff766750000-7ff766753000 r-xp 00000000 fc:02 6029369                    /lib/x86_64-linux-gnu/libnss_myhostname.so.2
7ff766753000-7ff766952000 ---p 00003000 fc:02 6029369                    /lib/x86_64-linux-gnu/libnss_myhostname.so.2
7ff766952000-7ff766953000 r--p 00002000 fc:02 6029369                    /lib/x86_64-linux-gnu/libnss_myhostname.so.2
7ff766953000-7ff766954000 rw-p 00003000 fc:02 6029369                    /lib/x86_64-linux-gnu/libnss_myhostname.so.2
7ff766958000-7ff766964000 r-xp 00000000 fc:02 6030602                    /lib/x86_64-linux-gnu/libnss_files-2.21.so
7ff766964000-7ff766b63000 ---p 0000c000 fc:02 6030602                    /lib/x86_64-linux-gnu/libnss_files-2.21.so
7ff766b63000-7ff766b64000 r--p 0000b000 fc:02 6030602                    /lib/x86_64-linux-gnu/libnss_files-2.21.so
7ff766b64000-7ff766b65000 rw-p 0000c000 fc:02 6030602                    /lib/x86_64-linux-gnu/libnss_files-2.21.so
7ff766b68000-7ff766d28000 r-xp 00000000 fc:02 6030624                    /lib/x86_64-linux-gnu/libc-2.21.so
7ff766d28000-7ff766f28000 ---p 001c0000 fc:02 6030624                    /lib/x86_64-linux-gnu/libc-2.21.so
7ff766f28000-7ff766f2c000 r--p 001c0000 fc:02 6030624                    /lib/x86_64-linux-gnu/libc-2.21.so
7ff766f2c000-7ff766f2e000 rw-p 001c4000 fc:02 6030624                    /lib/x86_64-linux-gnu/libc-2.21.so
7ff766f2e000-7ff766f32000 rw-p 00000000 00:00 0 
7ff766f38000-7ff766f5c000 r-xp 00000000 fc:02 6030594                    /lib/x86_64-linux-gnu/ld-2.21.so
7ff767157000-7ff76715b000 rw-p 00000000 00:00 0 
7ff76715b000-7ff76715c000 r--p 00023000 fc:02 6030594                    /lib/x86_64-linux-gnu/ld-2.21.so
7ff76715c000-7ff76715d000 rw-p 00024000 fc:02 6030594                    /lib/x86_64-linux-gnu/ld-2.21.so
7ff76715d000-7ff767160000 rw-p 00000000 00:00 0 
7ffefe718000-7ffefe739000 rw-p 00000000 00:00 0                          [stack]
7ffefe758000-7ffefe75a000 r--p 00000000 00:00 0                          [vvar]
7ffefe75a000-7ffefe75c000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Abandon

In fact, qstat fails on this server: 77.111.250.121:27025, querying qstat -gps 77.111.250.121:27025 does the same.

It fails on sprintf in the xform_name_u2 function in xform.c.

nemiver: qstat -gps 77.111.250.121:27025

I'm using the last revision of the master branch.

illwieckz commented 9 years ago

qstat -xml -utf8 -gsm,ut2004 gsm.qtracker.com:28900 is running fine.

illwieckz commented 9 years ago

qstat -json -gsm,ut2004 gsm.qtracker.com:28900 too

illwieckz commented 9 years ago

it's related to the name transformation features, using the undocumented -nnx switch fixes the problem. See 8dd3f4a.

illwieckz commented 9 years ago

Ok, got it, there was a line doing that:

sprintf(color, "#%02hhx%02hhx%02hhx", s[0], s[1], s[2]);

On a color string with size 5, supposedly for #NNN\0', but the color code are stored as hex numbers with two char, like that:#F84040\0`, so a 8 sized string.