Prevent DSCM-Users from crashing others #108
Comments
|
@Jellybaby34 Do you have knowledge of the problem? Is it enough to check that the name is < 16 chars and does not contain |
|
Do you have any evidence that this is happening at any time other than summoning/invasions? The post would suggest that it is, but if that were the case then I'd expect far more reports of DSCM crashing people. One person with a bad name would poison the network and nuke everybody in that level range / area. I was actually going to tackle (1) this weekend. |
|
Minor note, I believe it's actually a "#c" that can't exist, as that should indicate a colour code. I haven't tested myself but I believe a lone "#" is fine. Edit: This is reversed. a lone # will crash it, but at least when examining your own sign a #c is silently removed. |
|
I linked the wrong thread. I meant this one: http://steamcommunity.com/app/211420/discussions/0/358415103477070691/ |
|
Ah, k. That one makes sense. Yes, no surprises there but we should definitely fix that one for people. |
|
The best approach is shortening names to 16 characters maximum and replacing any #'s with another character e.g. "!". Shortening the name to 16 characters fixes one of the crashes that occur when touching summon signs which was due to a buffer overflow. It also fixes an issue where if the invaders name was longer than 16 characters, rather than just copy the first 16 bytes it would just leave the copy function and the invader would be using whatever name the previous invader had. Stripping any instance of the # in player names fixes the other type of crashing due to incorrectly formatted text tagging. The game enters a routine when it reads a # in the string its about to display and if it isn't formatted like it expects i.e. #c[FFFFFF]txthere#c it just dies. Furthermore the name used when you touch your own summon sign is queried directly through the steam api so even if you purged any #'s in a persons name they would still crash if they touched their own sign. TL;DR Best fix is to replace any #'s in the persons name with another character and limit it to 16 characters. Only issue then is crashing when touching your own summon sign due to it getting your steam name through the steam api |
|
@Wulf2k Did you test that your fix actually prevents crashing of other players in the various scenarios? |
|
Had a quick look and it works at removing #'s and shortening names so that should prevent people inadvertently crashing those who aren't running the appropriate fixes. Only nitpick is that it shortens names to 15 characters rather than 16 which is the maximum that can be used before it crashes others. |
|
Doesn't the 16th character have to be a 0x00, or else it will just blindly I had nobody on to test with last night. Still, easy test and fix at some
|
|
Chronial, I tested as much as I could by checking my own summoning sign but
|
|
You're right. Its 15 then the null byte or else it overruns the stack buffer. Sorry for the wrong information, I thought it was 16 characters. |
|
Doh, i just took your word for it and upped it to 16 last night. I'll put Got a code for another copy of Dark Souls last night so these things should You're right. Its 15 then the null byte or else it overruns the stack |
|
@Wulf2k I had a look at what the game does, and a big portion of the locations the namecrash fix patches are places in which the name was just directly retrieved from the steam api. So it doesn't matter what's reported via the game's mechanic. Given that information I think we should check for the player's name and if it violates the name rules, DSCM should refuse to work and display a big message instead that describes the problem and tells the user how to fix it. If we allow bad-name users to use DSCM, we help them crash as many machines as possible, which I don't think we should do ^^. Are you fine with my proposal or do you disagree? |
|
I'm ok with it in theory, but how many calls are there? Would it be reasonable to just patch each call so it does an extra "jmp 0xOURCODE, mov al, 00, mov [edi+15], al, jmp 0xORIGCODE"? Edit: Er, that fixes the local crash but not the outbound crash. Yeah, we should be forceful. |
There are two ways to do this:
We should implement (2) soon and change over to (1) if somebody has time and energy.
The text was updated successfully, but these errors were encountered: