| lua bug that crashes server | |
|
|
Author | Message |
---|
|tm|
Messages : 30 Joined/Date d'inscription : 2015-06-19
| Subject: lua bug that crashes server Sun Jun 21, 2015 4:54 am | |
| There's a bug in lua that crashes a server when the player's text contains conversion characters and this is passed directly into the logline function, notably "%n". You could say this is a bug in lua, but arguably its down to the coder to make sure that user input is cleaned to avoid this type of injection style vulnerability. A quick workaround is to perform a simple string replace on the user input to escape these characters. Find this line at the start of the onPlayerSayText function: - Code:
-
text2 = string.format("SCLog: Player %s says: %s. Their IP is: %s",getname(cn), text ,getip(cn)) And replace with this: - Code:
-
text2 = string.format("SCLog: Player %s says: %s. Their IP is: %s",getname(cn):gsub("%%", "%%%%"), text:gsub("%%", "%%%%") ,getip(cn)) Thanks to DotA for bringing it to my attention, HP for sending across more detailed information and Mashy for his detailed explanation and fixing the bug at the source.
Last edited by |tm| on Mon Jun 22, 2015 5:29 am; edited 2 times in total | |
|
| |
Park
Messages : 272 Joined/Date d'inscription : 2011-11-04
Gema stats farthest jump:
| Subject: Re: lua bug that crashes server Sun Jun 21, 2015 11:40 am | |
| lol yey you actually are back "alive", nice to see yar back! | |
|
| |
mashy
Messages : 4 Joined/Date d'inscription : 2015-06-21
| Subject: Re: lua bug that crashes server Sun Jun 21, 2015 4:52 pm | |
| Well it's not fixed.So this bug basically occurs because the AssaultCube function "logline" was ported incorrectly to lua. %n on the other hand causes an exception because n is a flag character passed to vsnprintf by logline but because it was ported incorrectly by lua it can only take two arguments in lua so vsnprintf can't be used corretly instead even user input has to be passed as first argument to vsnprintf and since the n flag is - Quote :
- The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.
and no character has been writen so far it'll probably try to access a null pointer or do something else that causes some kind of exception. An easy fix would probably be replacing the line 2573 in src/lua.cpp with: - Code:
-
logline( lua_tonumber( L, 1 ), "%s", lua_tostring( L, 2 ) ); And yes it's a lua bug since logline in AC actually accepts variable amount of arguments. Why it's not fixed well... escaping % works too but all user input which will be logged will be affected not only stuff they write. I hope you can think of some more user input besides writing in chat. I hope |HP| already passed most of this stuff on to you. Anyway it's important to know what exactly causes the bug to fix it reliably. Thanks for caring. | |
|
| |
Guest Guest
| Subject: Re: lua bug that crashes server Sun Jun 21, 2015 6:44 pm | |
|
Last edited by BOKABORE!!!!!!!!!!!!!!!!! on Wed Dec 30, 2015 5:34 pm; edited 1 time in total |
|
| |
DotA
Messages : 102 Joined/Date d'inscription : 2012-08-05
| Subject: Re: lua bug that crashes server Sun Jun 21, 2015 7:05 pm | |
| | |
|
| |
|tm|
Messages : 30 Joined/Date d'inscription : 2015-06-19
| Subject: Re: lua bug that crashes server Mon Jun 22, 2015 5:25 am | |
| - Park wrote:
- lol yey you actually are back "alive", nice to see yar back!
Cool thanks man it's nice to be back and awesome most peeps are still around =] It took some pretty dark magic to bring me back from the inner chambers of inferno, just don't let diablo know i'm missing ;-) | |
|
| |
|tm|
Messages : 30 Joined/Date d'inscription : 2015-06-19
| Subject: Re: lua bug that crashes server Mon Jun 22, 2015 5:37 am | |
| - mashy wrote:
- Well it's not fixed.
So this bug basically occurs because the AssaultCube function "logline" was ported incorrectly to lua. %n on the other hand causes an exception because n is a flag character passed to vsnprintf by logline but because it was ported incorrectly by lua it can only take two arguments in lua so vsnprintf can't be used corretly instead even user input has to be passed as first argument to vsnprintf and since the n flag is - Quote :
- The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.
and no character has been writen so far it'll probably try to access a null pointer or do something else that causes some kind of exception. An easy fix would probably be replacing the line 2573 in src/lua.cpp with: - Code:
-
logline( lua_tonumber( L, 1 ), "%s", lua_tostring( L, 2 ) ); And yes it's a lua bug since logline in AC actually accepts variable amount of arguments.
Why it's not fixed well... escaping % works too but all user input which will be logged will be affected not only stuff they write. I hope you can think of some more user input besides writing in chat. I hope |HP| already passed most of this stuff on to you. Anyway it's important to know what exactly causes the bug to fix it reliably. Thanks for caring. Awesomely detailed info thanks Mashy, I've edited my post as a "quick workaround" rather than an actual bug fix. I agree on the importance of understanding the actual cause of a bug to fix it properly, good stuff, anybody willing to take on updating the lua source and updating Baruch's sticky post? | |
|
| |
Guest Guest
| Subject: Re: lua bug that crashes server Mon Jun 22, 2015 9:41 am | |
|
Last edited by BOKABORE!!!!!!!!!!!!!!!!! on Wed Dec 30, 2015 5:38 pm; edited 1 time in total |
|
| |
|tm|
Messages : 30 Joined/Date d'inscription : 2015-06-19
| Subject: Re: lua bug that crashes server Tue Jun 23, 2015 6:28 am | |
| It was better before the hax jump in any form. Edge jumping, backwards play, saving ammo and timing reloads for a smooth stylish run.
Remember how long we all spent on gema-playergolem?
The bind/script not only ruined the skillful hax jump but the tunnel run as well, I spent hours on gema-h4x getting the number two tunnel route perfect and almost destroyed my left hand in the process.
I am completely disenchanted with the way things have become, and believe most of us feel the same, but we shared a pretty magical experience and lived through a period of time together that nobody can take away from us.
I agree it's something we should fight to hold on to, but practically speaking how can we combat it? | |
|
| |
|tm|
Messages : 30 Joined/Date d'inscription : 2015-06-19
| Subject: Re: lua bug that crashes server Tue Jun 23, 2015 6:36 am | |
| | |
|
| |
UKnowMe?
Messages : 51 Joined/Date d'inscription : 2012-10-08 Location/Localisation : Germany
Gema stats farthest jump:
| Subject: Re: lua bug that crashes server Wed Dec 16, 2015 12:24 pm | |
| Back to that bug: If an unescaped %n is logged to the console, it will crash the server (at least on Linux, couldn't crash it on Windows for some reason) The reference for printf states for "%n": - Quote :
- Nothing printed.
The corresponding argument must be a pointer to a signed int. The number of characters written so far is stored in the pointed location. The reason it crashes is the fact that the function expects an int * as 3rd argument, but only two arguments were given. mashy's fix is correct for this situation, but you won't be able to use formatted output to the log. The better fix would be to change the logline Lua function to accept a variable number of arguments, just like the logline function from AssaultCube. | |
|
| |
D3AR|LucaBrasi
Messages : 265 Joined/Date d'inscription : 2013-12-28 Location/Localisation : G E R M A N Y - B A V A R I A N
Gema stats farthest jump:
| Subject: Re: lua bug that crashes server Tue Dec 22, 2015 4:01 pm | |
| UKnowMe? - spielst du gelegentlich noch ? | |
|
| |
Sponsored content
| Subject: Re: lua bug that crashes server | |
| |
|
| |
| lua bug that crashes server | |
|