gema
Would you like to react to this message? Create an account in a few clicks or log in to continue.


A website for every gema-assaultcube fan
 
HomeHome  Latest imagesLatest images  SearchSearch  RegisterRegister  Log in  

 

 lua bug that crashes server

Go down 
+2
Park
|tm|
6 posters
AuthorMessage
|tm|




Messages : 30
Joined/Date d'inscription : 2015-06-19

lua bug that crashes server Empty
PostSubject: lua bug that crashes server   lua bug that crashes server EmptySun Jun 21, 2015 4:54 am

There's a bug in lua that crashes a server when the player's text contains conversion characters and this is passed directly into the logline function, notably "%n".

You could say this is a bug in lua, but arguably its down to the coder to make sure that user input is cleaned to avoid this type of injection style vulnerability.

A quick workaround is to perform a simple string replace on the user input to escape these characters.

Find this line at the start of the onPlayerSayText function:

Code:
text2 = string.format("SCLog: Player %s says: %s. Their IP is: %s",getname(cn), text ,getip(cn))

And replace with this:

Code:
text2 = string.format("SCLog: Player %s says: %s. Their IP is: %s",getname(cn):gsub("%%", "%%%%"), text:gsub("%%", "%%%%") ,getip(cn))

Thanks to DotA for bringing it to my attention, HP for sending across more detailed information and Mashy for his detailed explanation and fixing the bug at the source.



Last edited by |tm| on Mon Jun 22, 2015 5:29 am; edited 2 times in total
Back to top Go down
Park

Park


Messages : 272
Joined/Date d'inscription : 2011-11-04

Gema stats
farthest jump:

lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptySun Jun 21, 2015 11:40 am

lol yey you actually are back "alive", nice to see yar back!
Back to top Go down
https://t.me/joinchat/APe7MT2YpmxobCH8tg7JJw
mashy




Messages : 4
Joined/Date d'inscription : 2015-06-21

lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptySun Jun 21, 2015 4:52 pm

Well it's not fixed.
So this bug basically occurs because the AssaultCube function "logline" was ported incorrectly to lua.
%n on the other hand causes an exception because n is a flag character passed to vsnprintf by logline but because it was ported incorrectly by lua it can only take two arguments in lua so vsnprintf can't be used corretly instead even user input has to be passed as first argument to vsnprintf and since the n flag is
Quote :
The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.
and no character has been writen so far it'll probably try to access a null pointer or do something else that causes some kind of exception.
An easy fix would probably be replacing the line 2573 in src/lua.cpp with:
Code:
logline( lua_tonumber( L, 1 ), "%s", lua_tostring( L, 2 ) );

And yes it's a lua bug since logline in AC actually accepts variable amount of arguments.

Why it's not fixed well... escaping % works too but all user input which will be logged will be affected not only stuff they write. I hope you can think of some more user input besides writing in chat. I hope |HP| already passed most of this stuff on to you. Anyway it's important to know what exactly causes the bug to fix it reliably. Thanks for caring.
Back to top Go down
Guest
Guest




lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptySun Jun 21, 2015 6:44 pm

whore


Last edited by BOKABORE!!!!!!!!!!!!!!!!! on Wed Dec 30, 2015 5:34 pm; edited 1 time in total
Back to top Go down
DotA

DotA


Messages : 102
Joined/Date d'inscription : 2012-08-05

lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptySun Jun 21, 2015 7:05 pm

LOL nice video
Back to top Go down
|tm|




Messages : 30
Joined/Date d'inscription : 2015-06-19

lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptyMon Jun 22, 2015 5:25 am

Park wrote:
lol yey you actually are back "alive", nice to see yar back!

Cool thanks man it's nice to be back and awesome most peeps are still around =]

It took some pretty dark magic to bring me back from the inner chambers of inferno, just don't let diablo know i'm missing ;-)

Back to top Go down
|tm|




Messages : 30
Joined/Date d'inscription : 2015-06-19

lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptyMon Jun 22, 2015 5:37 am

mashy wrote:
Well it's not fixed.
So this bug basically occurs because the AssaultCube function "logline" was ported incorrectly to lua.
%n on the other hand causes an exception because n is a flag character passed to vsnprintf by logline but because it was ported incorrectly by lua it can only take two arguments in lua so vsnprintf can't be used corretly instead even user input has to be passed as first argument to vsnprintf and since the n flag is
Quote :
The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.
and no character has been writen so far it'll probably try to access a null pointer or do something else that causes some kind of exception.
An easy fix would probably be replacing the line 2573 in src/lua.cpp with:
Code:
logline( lua_tonumber( L, 1 ), "%s", lua_tostring( L, 2 ) );

And yes it's a lua bug since logline in AC actually accepts variable amount of arguments.

Why it's not fixed well... escaping % works too but all user input which will be logged will be affected not only stuff they write. I hope you can think of some more user input besides writing in chat. I hope |HP| already passed most of this stuff on to you. Anyway it's important to know what exactly causes the bug to fix it reliably. Thanks for caring.

Awesomely detailed info thanks Mashy, I've edited my post as a "quick workaround" rather than an actual bug fix.

I agree on the importance of understanding the actual cause of a bug to fix it properly, good stuff, anybody willing to take on updating the lua source and updating Baruch's sticky post?

Back to top Go down
Guest
Guest




lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptyMon Jun 22, 2015 9:41 am

whore


Last edited by BOKABORE!!!!!!!!!!!!!!!!! on Wed Dec 30, 2015 5:38 pm; edited 1 time in total
Back to top Go down
|tm|




Messages : 30
Joined/Date d'inscription : 2015-06-19

lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptyTue Jun 23, 2015 6:28 am

It was better before the hax jump in any form. Edge jumping, backwards play, saving ammo and timing reloads for a smooth stylish run.

Remember how long we all spent on gema-playergolem?

The bind/script not only ruined the skillful hax jump but the tunnel run as well, I spent hours on gema-h4x getting the number two tunnel route perfect and almost destroyed my left hand in the process.

I am completely disenchanted with the way things have become, and believe most of us feel the same, but we shared a pretty magical experience and lived through a period of time together that nobody can take away from us.

I agree it's something we should fight to hold on to, but practically speaking how can we combat it?
Back to top Go down
|tm|




Messages : 30
Joined/Date d'inscription : 2015-06-19

lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptyTue Jun 23, 2015 6:36 am

I've started a new topic about this so we can come up with a plan: https://gema.forumactif.com/t333-the-haxjump-bind-script-problem
Back to top Go down
UKnowMe?




Messages : 51
Joined/Date d'inscription : 2012-10-08
Location/Localisation : Germany

Gema stats
farthest jump:

lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptyWed Dec 16, 2015 12:24 pm

Back to that bug: If an unescaped %n is logged to the console, it will crash the server (at least on Linux, couldn't crash it on Windows for some reason)
The reference for printf states for "%n":
Quote :
Nothing printed.
The corresponding argument must be a pointer to a signed int.
The number of characters written so far is stored in the pointed location.
The reason it crashes is the fact that the function expects an int * as 3rd argument, but only two arguments were given.
mashy's fix is correct for this situation, but you won't be able to use formatted output to the log.
The better fix would be to change the logline Lua function to accept a variable number of arguments, just like the logline function from AssaultCube.
Back to top Go down
D3AR|LucaBrasi

D3AR|LucaBrasi


Messages : 265
Joined/Date d'inscription : 2013-12-28
Location/Localisation : G E R M A N Y - B A V A R I A N

Gema stats
farthest jump:

lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server EmptyTue Dec 22, 2015 4:01 pm

UKnowMe? - spielst du gelegentlich noch ?
Back to top Go down
Sponsored content





lua bug that crashes server Empty
PostSubject: Re: lua bug that crashes server   lua bug that crashes server Empty

Back to top Go down
 
lua bug that crashes server
Back to top 
Page 1 of 1
 Similar topics
-
» how to install lua mod on their server?
» Lua for AC server
» Lua server forum
» New Old Server as an exchange to GC.
» pls remove my ban from .45 server

Permissions in this forum:You cannot reply to topics in this forum
gema :: International :: Lua-
Jump to: