Fix bad client reliableAcknowledge DOS exploit

Having a reliableAcknowledge of 0x7FFFFFFF causes a massive loop to be executed in SV_UpdateServerCommandsToClient due to the + 1 overflow.
ioquake · Apr 19, 2023 · 47c9641 · 47c9641
1 parent 31c6d2f
commit 47c9641
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/code/server/sv_client.c b/code/server/sv_client.c
@@ -1917,7 +1917,7 @@ void SV_ExecuteClientMessage( client_t *cl, msg_t *msg ) {
 	// NOTE: when the client message is fux0red the acknowledgement numbers
 	// can be out of range, this could cause the server to send thousands of server
 	// commands which the server thinks are not yet acknowledged in SV_UpdateServerCommandsToClient
-	if (cl->reliableAcknowledge < cl->reliableSequence - MAX_RELIABLE_COMMANDS) {
+	if ((cl->reliableSequence - cl->reliableAcknowledge >= MAX_RELIABLE_COMMANDS) || (cl->reliableSequence - cl->reliableAcknowledge < 0)) {
 		// usually only hackers create messages like this
 		// it is more annoying for them to let them hanging
 #ifndef NDEBUG