Debian Bug report logs - #681812
openarena-server: segfaults when a client is requesting a callvote to kick another player

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openarena-server: segfaults when a client is requesting a callvote to kick another player

Date: Mon, 16 Jul 2012 20:54:41 +0200

Package: openarena-server
Version: 0.8.8-5
Severity: normal

Dear Maintainer,

as i have hinted in my last report to #664637, there are at least two
different kind of bugs which can lead to a server crash.

This one is reproducible with Debian's standard configuration. 

*How to reproduce the crash?*

1. Join the server and open the ingame console with Shift+ESC or ~.
2. Ask for a vote to kick a non-existing player on the server like

\callvote kick pullo

if pullo is a player who does not play on the server.

3. Result: Segmentation Fault and server crash

The crash always occurs if the callvote name differs from the actual player
names.

If you ask for a callvote and if you leave the field for the player
name blank, then the following message can be found in the log file.

NET_CompareBaseAdr: bad address type

As far as i can tell the "clientkick id"-command, which you can use
from the ingame menu, works as intended. 

*Quick solution*

Disable the vote option to kick a player from the server in
/etc/openarena-server/server.cfg. The default value is:

set g_voteNames "/map_restart/nextmap/map/g_gametype/kick/clientkick/g_doWarmup/timelimit/fraglimit/shuffle" 

If you remove "kick" from the line the callvote option to kick another
player is disabled and nobody can crash the server anymore.

set g_voteNames "/map_restart/nextmap/map/g_gametype/clientkick/g_doWarmup/timelimit/fraglimit/shuffle" 

*Attachments*

I've attached my debug log files and the backtrace from gdb. It seems
that the if-condition in code/game/g_cmds.c line 1818 is never true
although the player doesn't exist. Somehow the server doesn't check
carefully enough if a player exists or not. 

Kind regards
Markus Koschany

-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.24 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openarena-server depends on:
ii  adduser                   3.112+nmu2     add and remove users and groups
ii  ioquake3-server           1.36+svn2287-1 Standalone server for ioQuake3 bas
ii  libc6                     2.11.3-3       Embedded GNU C Library: Shared lib
ii  openarena-081-maps        0.8.5split-2   OpenArena game data - maps from 0.
ii  openarena-081-misc        0.8.5split-2   OpenArena game data - miscellaneou
ii  openarena-081-players     0.8.5split-2   OpenArena game data - player graph
ii  openarena-081-players-mat 0.8.5split-2   OpenArena game data - "mature" pla
ii  openarena-081-textures    0.8.5split-2   OpenArena game data - textures fro
ii  openarena-085-data        0.8.5split-2   OpenArena game data - 0.8.5 update
ii  openarena-088-data        0.8.8-1        OpenArena game data
ii  openarena-data            0.8.5-3        OpenArena game data

openarena-server recommends no packages.

openarena-server suggests no packages.

Versions of packages ioquake3-server depends on:
ii  libc6                   2.11.3-3         Embedded GNU C Library: Shared lib
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

-- Configuration Files:
/etc/default/openarena-server changed [not included]
/etc/init.d/openarena-server changed [not included]
/etc/openarena-server/server.cfg changed [not included]

-- no debconf information

Message #10 received at 681812@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: 681812@bugs.debian.org

Subject: openarena-server: segfaults when a client is requesting a callvote to kick another player

Date: Mon, 16 Jul 2012 21:27:32 +0200

[Message part 1 (text/plain, inline)]

[openarena_server_debug.tar.gz (application/x-gzip, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 681812@bugs.debian.org (full text, mbox, reply):

From: Poul Sander <sago007@gmail.com>

To: 681812@bugs.debian.org

Subject: Fix

Date: Thu, 06 Sep 2012 22:38:25 +0200

I believe the following change will fix it:

http://code.google.com/p/oax/source/detail?r=304

Message #20 received at 681812@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>

To: sago007@gmail.com

Cc: 681812@bugs.debian.org

Subject: Fix for Debian bug #681812

Date: Fri, 14 Sep 2012 00:09:34 +0200

[Message part 1 (text/plain, inline)]

tags 681812 patch
thanks

> I believe the following change will fix it:
>
> http://code.google.com/p/oax/source/detail?r=304

Hi Poul!

Thanks, i've rebuilt the package and it works. I've also
added DEP3 headers to your patch and attached it to this
bugreport.

Regards
Markus

[0002-Fix-callvote-kick-player-does-not-exist-crash.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 681812@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Markus Koschany <apo@gambaru.de>, 681812@bugs.debian.org, poul@poulsander.com

Subject: Re: Bug#681812: openarena-server: segfaults when a client is requesting a callvote to kick another player

Date: Fri, 14 Sep 2012 08:17:42 +0100

severity 681812 serious
thanks

On Mon, 16 Jul 2012 at 20:54:41 +0200, Markus Koschany wrote:
> 1. Join the server and open the ingame console with Shift+ESC or ~.
> 2. Ask for a vote to kick a non-existing player on the server like
> 
> \callvote kick pullo
> 
> if pullo is a player who does not play on the server.

Hi, sorry for the delay in responding to this. Thank you both for your help
with this bug.

This is a DoS that remote unauthenticated users can trigger on-demand, so
I've bumped the severity up and am preparing an upload.
I'll ask for a freeze exception for it.

Regards,
    S

Message #34 received at 681812-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 681812-close@bugs.debian.org

Subject: Bug#681812: fixed in openarena 0.8.8-5+deb7u1

Date: Fri, 14 Sep 2012 07:32:45 +0000

Source: openarena
Source-Version: 0.8.8-5+deb7u1

We believe that the bug you reported is fixed in the latest version of
openarena, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 681812@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated openarena package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 14 Sep 2012 07:52:53 +0100
Source: openarena
Binary: openarena openarena-server openarena-dbg
Architecture: source amd64
Version: 0.8.8-5+deb7u1
Distribution: unstable
Urgency: low
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 openarena  - fast-paced 3D first-person shooter
 openarena-dbg - debug symbols for OpenArena's game logic
 openarena-server - server and game logic for the game OpenArena
Closes: 681812
Changes: 
 openarena (0.8.8-5+deb7u1) unstable; urgency=low
 .
   * Add patch from upstream to fix a client-triggerable server crash.
     Thanks to Poul Sander and Markus Koschany (Closes: #681812)
Checksums-Sha1: 
 bd807348d947183947d1308cf825e3093bfbd622 2162 openarena_0.8.8-5+deb7u1.dsc
 8991afbc6c35858b8ce2f567e737762e1e3fafca 43464 openarena_0.8.8-5+deb7u1.debian.tar.gz
 d35060ea50577e07198efba8a0f4a5d5ebfa5f7d 2446228 openarena_0.8.8-5+deb7u1_amd64.deb
 4966b8adc7c9080b500929afa1271b84ea3562dc 2428642 openarena-server_0.8.8-5+deb7u1_amd64.deb
 a94173a3bb34e504faedaf0fe4bf1fe8e38bdb9e 3713266 openarena-dbg_0.8.8-5+deb7u1_amd64.deb
Checksums-Sha256: 
 af5a965d9f9006decea902fec33195ac62bb9257dd92e06f6a25034f7cc60962 2162 openarena_0.8.8-5+deb7u1.dsc
 e0c0d4a0b4ee2fa1c9d2689912bef9ae4cdbd1d9b9e655c6f1bc46e8f8b671cc 43464 openarena_0.8.8-5+deb7u1.debian.tar.gz
 e94e52b3fc03e6469aeaea16574aec39384def43cfa44965bc3b912b4d849408 2446228 openarena_0.8.8-5+deb7u1_amd64.deb
 95bc735d61acf0ef2a34ddd37a32fa9ea8a759c7c5a7341645bda509af3d0bcb 2428642 openarena-server_0.8.8-5+deb7u1_amd64.deb
 b09b0d46b0f5dab96b8e38c5bc8b72433a07861697412086c14e0f876b636e71 3713266 openarena-dbg_0.8.8-5+deb7u1_amd64.deb
Files: 
 17d287bcb0d9714098728a464139633d 2162 games optional openarena_0.8.8-5+deb7u1.dsc
 b8d92dba037a9062b45b0cd9af0482b3 43464 games optional openarena_0.8.8-5+deb7u1.debian.tar.gz
 e7bee793fe2d2a68adb485818fb67d33 2446228 games optional openarena_0.8.8-5+deb7u1_amd64.deb
 a61d3edc984aaf4faa4250f7388860be 2428642 games optional openarena-server_0.8.8-5+deb7u1_amd64.deb
 a8d570070e81ceb6ea4c0492fbc554b4 3713266 debug extra openarena-dbg_0.8.8-5+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBUFLZwk3o/ypjx8yQAQiytg//ZRWnKQA2N6+u6G3zSEugsjaCeL5W2CAJ
rFIHgpZMIFSixbRLvTc6Ye46HXvEBwsHwL6J+HBv3pfnGQUc87jXQlsQN6SvlTBE
xMkhHerLp80mPLU48eeXA3r2T/5kSTg+TUrWnwXB8Aek3VrGBOSeY2YnHZG7Fn3Z
HHEKNcEmaceggFq0Tlvwj0AoGVZfo45rTjtT1s08Qka7PBrW+64Sd+GnW0ajUWzs
jqsi/5WPCgcgAC5+ZNO/Ga+5qiMuiILdsYHTIRHzCYUdZOyg4ZihpOkYERDzVwND
7f3pg9+pTnLcihIV/YkKIKxR+3pBA0C4rv18NcB2VVys5csqWPBGp5TS5Qp/M/AD
ULa67ufbj/iwCMphBLnhbF/qXW/uVvvdq/i16NFGlz9zRxWZzwpGJfmkxpUItmZ1
7GHMNEhwDIKkcaW6af5SD6Olu793mihy3foVOosFmbWKYlppE9NwX8+UYstW5Adu
pBI8PvsMlMXO8Z/BLJvw2qU6Rsgq1oAzef9i6XeHZqeEcJVOBO8JjhqZsC8Xdc3m
CzITn/cdTgCbl7sU46WbWmOYdggDP/bBEYFWqG2m0HexQuaHrrwEfCdLrdic8S18
P+bjq4PmWjwRf2iroLeyVdu0nExNnzUXpxwidxdsYHBZwqDct0hPKEFNOIRWOe8F
KGTaozeLkIU=
=r5Fg
-----END PGP SIGNATURE-----

Message #39 received at 681812-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 681812-close@bugs.debian.org

Subject: Bug#681812: fixed in openarena 0.8.8-7

Date: Fri, 14 Sep 2012 10:18:43 +0000

Source: openarena
Source-Version: 0.8.8-7

We believe that the bug you reported is fixed in the latest version of
openarena, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 681812@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated openarena package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 14 Sep 2012 10:35:01 +0100
Source: openarena
Binary: openarena openarena-server openarena-dbg
Architecture: source amd64
Version: 0.8.8-7
Distribution: experimental
Urgency: low
Maintainer: Debian Games Team <pkg-games-devel@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description: 
 openarena  - fast-paced 3D first-person shooter
 openarena-dbg - debug symbols for OpenArena's game logic
 openarena-server - server and game logic for the game OpenArena
Closes: 681812 686648
Changes: 
 openarena (0.8.8-7) experimental; urgency=low
 .
   * Merge from 0.8.8-5+deb7u1
     - Add patch from upstream to fix a client-triggerable server crash.
       Thanks to Poul Sander and Markus Koschany (Closes: #681812)
   * Request confirmation before enabling auto-downloading, which is
     a security risk (Closes: #686648)
Checksums-Sha1: 
 8d1a671ab46e8c7980c91fb453439111027b608b 2162 openarena_0.8.8-7.dsc
 cc2338bcfa20ae4f4a815e675be9f746f40a5ff9 44717 openarena_0.8.8-7.debian.tar.gz
 a5dc9f37be97d03941f5847631920ff68084c863 2446902 openarena_0.8.8-7_amd64.deb
 d95264fef8ba75ac63bfbf6ca9af607680e15b76 2429424 openarena-server_0.8.8-7_amd64.deb
 a5e50cf01b31fd59e80dc6c129db2a77e98bfc92 3714050 openarena-dbg_0.8.8-7_amd64.deb
Checksums-Sha256: 
 6ec6d1b39d9f06e3e10535b5fa9a4c77aef6070c5e017fe9ae1b5686654e9e46 2162 openarena_0.8.8-7.dsc
 8f3fd6f564cfba986f7f83c1a46df22f2aa298ab89e349931d5948325fee25ef 44717 openarena_0.8.8-7.debian.tar.gz
 bd30c4bf180dc3a787045abb702d1505bccc0e8efced101a709fe7fb5d23ed10 2446902 openarena_0.8.8-7_amd64.deb
 87531488d0efb04406e8c5feb30d9cfe38688ae171a1ddd3cb5c0114f726313a 2429424 openarena-server_0.8.8-7_amd64.deb
 e997e9e3cdf4606b0fc44912d6e3337ab6c920484e3cddab74502098dfb723eb 3714050 openarena-dbg_0.8.8-7_amd64.deb
Files: 
 e4df41eb3ad0f6e9cc1989b28af99ad6 2162 games optional openarena_0.8.8-7.dsc
 678bffedb212728b5692e9da086d0d6d 44717 games optional openarena_0.8.8-7.debian.tar.gz
 2198ca1ce3891d617cc36dea2055aa64 2446902 games optional openarena_0.8.8-7_amd64.deb
 b61d2662480a1bdec8fa5ea70f078b24 2429424 games optional openarena-server_0.8.8-7_amd64.deb
 a0d8e2a4c52e2f2a05cdd836fa789320 3714050 debug extra openarena-dbg_0.8.8-7_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIVAwUBUFL8EU3o/ypjx8yQAQh10w/+N6ERsa6lEbniWixpL1rBcUCmuTWl0Wbq
K2L8SFuhPTOU32ojNEL/aqNVj1vwrYpY6iL2X8OyZogUOc6RB9OtuPJ93tgRZWMB
GPiWNuTzjszXKb18VSuVSx6Ob9+7IyLdJSiXxY3ddsMXFa15HeemHRR7FwoXvp+v
IwTnZgj/vIAQAwJQMaKX56Ce1a/b9ggaad9XibMU/8RXdsYaofQsuQ1ByjtM3h8B
rXDYg8te2hV0yqz4XtCPOkiYl6Lj6BWJt2XgeTxHkw5UTC4bFg4++niiIMt+TG90
kX4VJGAcJDsWHey6vcHQR6z2QQz+Zu8b0YoeQRW/n9p/vSvJ9nDj1JUtY+o4nLFl
py4W0yNEKOR061IWhTw4agx9lgrM4bJ18HCB3JJcM2ZcNsICt1sFGn0b6iYHIf7c
OxRIG74L5kkn4/GiG8yHsIEv0kPMqN9+g9V1G9Fa9HsuJPdDMzn3DVa+Gf6yRlkO
cy2BUHO3SCDZ6RVPfw/WxDF5vkoasdwJKIzVsChIiQfll5Lu0htTCvTFrKiVZCst
l+AQFV3YJ+S3WqcN3pvqbyII7ZMeOB8PsdPd1HwsikRlCGnnOWRj/+s8SXGzvgVB
1i6YA1m7u54+xYEFRQWzdeDqNu+xgNQwItYc6lgDJFPyEIS13WBdF7J/pu4B0m/k
kPIzYOavVeU=
=AM5j
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.