From d6bd3b45d32a1a71a0ca410cbbc93b1e74b4faee Mon Sep 17 00:00:00 2001
From: divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Tue, 22 May 2007 07:39:05 +0000
Subject: [PATCH] Reject clc_stringcmd with \r and \n in them; when developer
 is set, hex dump these commands. Exception: \r and \n are allowed at the end
 of a clc_stringcmd, but get cut off before processing (DP builds from before
 yesterday did that with sentcvar commands).

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@7335 d7cf8633-e32d-0410-b094-e92efae38249
---
 sv_user.c | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/sv_user.c b/sv_user.c
index ee039d13..86fca561 100644
--- a/sv_user.c
+++ b/sv_user.c
@@ -717,7 +717,7 @@ extern sizebuf_t vm_tempstringsbuf;
 void SV_ReadClientMessage(void)
 {
 	int cmd, num, start;
-	char *s;
+	char *s, *p, *q;
 
 	//MSG_BeginReading ();
 	sv_numreadmoves = 0;
@@ -759,6 +759,21 @@ void SV_ReadClientMessage(void)
 
 		case clc_stringcmd:
 			s = MSG_ReadString ();
+			q = NULL;
+			for(p = s; *p; ++p) switch(*p)
+			{
+				case 10:
+				case 13:
+					if(!q)
+						q = p;
+					break;
+				default:
+					if(q)
+						goto clc_stringcmd_invalid; // newline seen, THEN something else -> possible exploit
+					break;
+			}
+			if(q)
+				*q = 0;
 			if (strncasecmp(s, "spawn", 5) == 0
 			 || strncasecmp(s, "begin", 5) == 0
 			 || strncasecmp(s, "prespawn", 8) == 0)
@@ -776,6 +791,12 @@ void SV_ReadClientMessage(void)
 				Cmd_ExecuteString (s, src_client);
 			break;
 
+clc_stringcmd_invalid:
+			Con_Printf("Received invalid stringcmd from %s\n", host_client->name);
+			if(developer.integer)
+				Com_HexDumpToConsole((unsigned char *) s, strlen(s));
+			break;
+
 		case clc_disconnect:
 			SV_DropClient (false); // client wants to disconnect
 			return;
-- 
2.39.5