Giters

LandSandBoat / server

:sailboat: LandSandBoat - a server emulator for Final Fantasy XI. Just an X-34 landspeeder out for a drive.

Home Page:https://landsandboat.github.io/server/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

πŸ› Map Server Crash On Invalid Zone Request (DoS)

atom0s opened this issue Β· comments

commented

I affirm:

  • I understand that if I do not agree to the following points by completing the checkboxes my issue will be ignored.
  • I have read and understood the Contributing Guide and the Code of Conduct.
  • I have searched existing issues to see if the issue has already been opened, and I have checked the commit log to see if the issue has been resolved since my server was last updated.

OS / platform the server is running (if known)

Windows 11

Branch affected by issue

base

Steps to reproduce

This can be reproduced in several different ways. (I will not disclose a means for how a normal player can do this to avoid potential exploit abuse on existing servers.)

As a means to test this for fixing, a GM character can cause this issue by simply using the !zone <num> command with an invalid zone id.

Expected behavior

The server should properly validate the desired zone request and fail to properly attempt to zone the player if the zone is invalid, offline, unavailable to the player (ie. lack of expansion installed), etc.

Additional Information

This bug report is similar to another I have reported in the past: #3941

The player can cause a zone request change to happen even if a zone is invalid/offline. The issue with this occurs in the 0x00A handler within packet_system.cpp here:

server/src/map/packet_system.cpp

Line 300 in 2a3f2f1

CZone* destZone = zoneutils::GetZone(destination);

In the event that zoneutils::GetZone has returned an invalid or nullptr zone, the server does not attempt to properly correct or handle this situation. The server will attempt to homepoint the character, but still allows the remaining code of the handler to execute, falling through into a condition which will crash the server.

The line destZone->IncreaseZoneCounter(PChar); will crash the server as destZone is null.

This can be abused by manipulating packets to intentionally crash the map server.

commented

Sent you a DM on discord, having trouble getting it to happen for me.

commented

This is an issue that will happen when the map server is launched with arguments such as:

xi_map.exe --ip 127.0.0.1 --port 54230

The reproduce on a GM under this setup, you can use !zone 286 and will crash with a fully stock LSB server/database. (The crash does not happen if the map server is executed directly.)

commented

I think the pr I made has this finger-air-quotes fixed now. As #2150 mentioned when it added a homepoint call here, its only meant to be a band-aid to prevent something really bad and does not address the underlying issue that caused all this: we shouldn't make it here with an invalid zone as that destination to start with. As such, I'd like to keep this issue open for a bit after the merge as a reminder to look into it further. Just stopping a crash is priority first. The previous pr was to prevent corrupted location data.