r5sdk/r5dev/engine/client/cl_ents_parse.cpp

//====== Copyright <20> 1996-2005, Valve Corporation, All rights reserved. =======//
//
// Purpose: Parsing of entity network packets.
//
// $NoKeywords: $
//=============================================================================//
#include "core/stdafx.h"
#include "public/const.h"
#include "engine/client/cl_ents_parse.h"

bool CL_CopyExistingEntity(__int64 a1, unsigned int* a2, char* a3)
{
	int nNewEntity = *reinterpret_cast<int*>(a1 + 40);
	if (nNewEntity >= MAX_EDICTS || nNewEntity < NULL)
	{
		// Value isn't sanitized in release builds for
		// every game powered by the Source Engine 1
		// causing read/write outside of array bounds.
		// This defect has let to the achievement of a
		// full-chain RCE exploit. We hook and perform
		// sanity checks for the value of m_nNewEntity
		// here to prevent this behavior from happening.
		return false;
	}
	return v_CL_CopyExistingEntity(a1, a2, a3);
}
-												CL_CopyExistingEntity: implement missing bounds check

Implement bounds check for non-sanitized value of u.m_nNewEntity.
Debug builds of the engine have an assertion, however in release these are stripped.
This fixes a full chain client RCE exploit, for more information, see: https://ctf.re/source-engine/exploitation/2021/05/01/source-engine-2/

											
										
										
											2022-09-21 02:38:58 +02:00
+								//====== Copyright <20> 1996-2005, Valve Corporation, All rights reserved. =======//
 								//
 								// Purpose: Parsing of entity network packets.
 								//
 								// $NoKeywords: $
 								//=============================================================================//
 								#include "core/stdafx.h"
 								#include "public/const.h"
 								#include "engine/client/cl_ents_parse.h"
 								bool CL_CopyExistingEntity(__int64 a1, unsigned int* a2, char* a3)
 								{
 									int nNewEntity = *reinterpret_cast<int*>(a1 + 40);
-												Use retail/dev naming convention

Renamed 'debug' cfg's to 'dev', refered anything in code as retail/dev/prod.

											
										
										
											2022-09-21 20:40:34 +02:00
+									if (nNewEntity >= MAX_EDICTS || nNewEntity < NULL)
-												CL_CopyExistingEntity: implement missing bounds check

Implement bounds check for non-sanitized value of u.m_nNewEntity.
Debug builds of the engine have an assertion, however in release these are stripped.
This fixes a full chain client RCE exploit, for more information, see: https://ctf.re/source-engine/exploitation/2021/05/01/source-engine-2/

											
										
										
											2022-09-21 02:38:58 +02:00
+									{
-												CL_CopyExistingEntity: remove Host_Error call

Calling Host_Error at this stage will cause a dead lock. Removed the call after performing several test (i think the reason all error calls are removed as of Titanfall 2 and Apex Legends (compared to Titanfall 1) is for this reason). Returning false does the job and allows the client to recover as soon as a valid packet comes in.

											
										
										
											2022-09-21 20:13:51 +02:00
+										// Value isn't sanitized in release builds for
 										// every game powered by the Source Engine 1
 										// causing read/write outside of array bounds.
 										// This defect has let to the achievement of a
 										// full-chain RCE exploit. We hook and perform
 										// sanity checks for the value of m_nNewEntity
 										// here to prevent this behavior from happening.
-												CL_CopyExistingEntity: implement missing bounds check

Implement bounds check for non-sanitized value of u.m_nNewEntity.
Debug builds of the engine have an assertion, however in release these are stripped.
This fixes a full chain client RCE exploit, for more information, see: https://ctf.re/source-engine/exploitation/2021/05/01/source-engine-2/

											
										
										
											2022-09-21 02:38:58 +02:00
+										return false;
 									}
 									return v_CL_CopyExistingEntity(a1, a2, a3);
 								}