Information Assurance

Nick Bennett


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Gamespy Bug

back to bugtraq analyses page

Bugtrack email: Hidden Gamespy code leads to vulnerabilities in diffused games (BF1942, Halo, Dredd and more)

Link: http://www.securityfocus.com/archive/1/355086/2004-02-21/2004-02-27/2

Gamespy SDK is used in numerous games for online cd-keys validation. This software is used in many popular games including, one of my favorites, Halo. The following bug will cause a crash of the game's server.

The bug is in a portion of the code which coy part of the recieved query packets into a new buffer. This code is similar to the code below:

  	line 1: int size = strchr(buff + 1, '\\') - buff;
  	line 2: if(size > 32) return;
  	line 3: strncpy(querybuff, buff + 1, size);
	

The variable "buff" is the recieved query packet, part of which will be copied into "querybuff". The variable size is a signed integer representing the amount of data to be copied from "buff" to "querybuff". This code correctly checks for a buffer overflow in line 2 of the code, and exits the function without copying any part of "buff" if one is found. However, it does not check to see if the function call strchr(buff + 1, '\\') on line 1 fails. If it does fail, it will return a zero, therefore making the value of size: '0 - buff'. Since size is signed, it will now be a negative number. When the program reaches line 2, it will not exit the function because size, a negative number, is now less than 32. Then, when line 3 is executed, the function call strncpy(querybuff, buff + 1, size) will throw an exception and crash the game's server.

It is actually pretty easy to get the function strchr() to fail and, consequently, crash the server. To do so one needs to send the char ';' to the UDP query port of the game server that is hosting the match.

This problem could have been prevented if the authors wrote the above code more carefully. If they had checked to see if the function strchr() had failed, and handled this in a similar way to how they handled the buffer overflow, the problem would have been prevented

To work around this problem there is a relatively simple solution. Just change the comparison in line 2 from a signed comparison to an unsigned one. This way, if strchr() fails, and size = "0 - buff", the comparsion in line 2 will be true, and the function will return without executing strncpy()

The programmers of this code correctly checked for buffer overflows when copying one buffer to the next. However, as was shown by this example, buffers do present other problems than just overflows. In the future, I would reccomend that programmers be aware of and respond to this type of vulnerbility as well as buffer overflows.