Bug Tracker – Full Text Bug Listing

Bug 1249

Summary: Wad Hashes aren't always checked clientside
Product: Odamex Reporter: Maëllig Desmottes <Ch0wW>
Component: Server & ClientAssignee: Odamex Bug Reporter <odamex-bug-reporter>
Status: NEW ---    
Severity: critical    
Priority: P5    
Version: 0.8.x   
Hardware: All   
OS: Other   

Description Maëllig Desmottes 2019-01-25 16:45:34 UTC 
When trying Freedoom 0.11.3 on my server, I noticed my client who was using Freedoom 0.9 was able to connect with no issue at all, while it was seriously outdated.

As a result, it messed up the client view completely. Adding the MD5 hashes to the client & server didn't fix anything.

This is a huge security flaw, making any client with slightly modified IWADs be able to mess with the clients (or the other way around). Apparently, it was done in the past, but I don't seem to check anything about it in the source code.

Is it entirely normal ?
Comment 1 Maëllig Desmottes 2019-01-25 17:57:08 UTC 
Steps to reproduce :
1) Create 2 folders: one for the client, one for the server.
2) on the server, add Freedoom1.wad version 0.9 (easier to notice since maps are different) . Clientside, add Freedoom1.wad version 0.11.3.

3) Create a server (using the default config is enough) with Freedoom1.wad
4) Client should run it like that : Odamex.exe -connect localhost

The server accepts the client even if the IWAD is different.

HOWEVER, If you try to join using Odalaunch, it'll throw an error.