This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to [EMAIL PROTECTED] for more info.
--
Hi everybody,
I made a small and simple workaround against the exploit, that proofed to
work with hlds 3.1.1.1x and 3.1.1.0.
It consists of a set of shared objects (boffix_ARCH.so) that need to be
put in your hlds directory. Add a line
export LD_PRELOAD=./boffix_YOURARCH.so
to the beginning of your hlds_run skript (like after the shell magic
"#!/bin/sh", or before the LD_LIBRARY_PATH export.
YOURARCH need's to be the same as the engine_XXX.so you're using, that is
i386 for 3.1.1.0 (guess that's the only one for that version) or amd,
i386, i486, i686 for the 3.1.1.1x versions.
Here's the source for the fix:
--- snip ---
#include <stdio.h>
#define __USE_GNU
#include <dlfcn.h>
void Info_FindLargestKey(char* string)
{
void (*origInfo_FindLargestKey)(char*);
char* error;
void* handle;
handle = dlopen("./engine_i386.so", RTLD_NOW);
origInfo_FindLargestKey = dlsym (handle, "Info_FindLargestKey");
if ((error = dlerror()) != NULL)
{
fprintf(stderr, "%s\n", error);
exit(1);
}
if (strlen(string) > 255)
{
string[255] = 0;
}
origInfo_FindLargestKey(string);
}
--- snip ---
needs to compiled with:
gcc -fpic boffix.c -shared -Wl,-soname,boffix.so,-g -lc -o boffix_ARCH.so
_after_ changing the "./engine_XXX.so" to what is appropriate for your
system.
A small overview of how the workaround works:
Ask the dynamic linker to load our fix .so before everything else (through
LD_PRELOAD). That way the linker uses the exported Info_FindLargestKey
instead of the one provided with the engine.so. When called, the
workaround function queries a handle to the original engine (that's why
there's one for every engine, I were simply too lazy to make the program
figure it out), and retrieves the address of the original function. It
then checks if the argument-string is longer than 255 bytes, and if it is
sets the 256th byte to zero, thus terminating the string before a
bufferoverrun would occur. Afterwards the original function is called with
the possibly modified argument.
I also attached already compiled .so's so you can simply pick the one that
fits your system.
Ofcourse everything is provided as is, and I'm giving no warranty at
all... valve didn't either, when they ignored the exploit for so long...
;)
Hope this helps some of you. If you think that it's no good simply don't
use it :)
Best regards,
Dominic (Virtual Master, vmaster @ qn & gn)
--
Content-Description:
[ boffix.tar.gz of type application/octet-stream deleted ]
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
