Bug Tracker – Bug 1249

Wad Hashes aren't always checked clientside

Last modified: 2019-01-26 07:43:04 UTC
Bug 1249 - Wad Hashes aren't always checked clientside
Summary: Wad Hashes aren't always checked clientside
Status: NEW
Alias: None
Product: Odamex
Classification: Unclassified
Component: Server & Client (show other bugs)
Version: 0.8.x
Hardware: All Other
: P5 critical
Assignee: Odamex Bug Reporter
URL:
Depends on:
Blocks:
 
Reported: 2019-01-25 16:45 UTC by Maëllig Desmottes
Modified: 2019-01-26 07:43 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Maëllig Desmottes 2019-01-25 16:45:34 UTC 
When trying Freedoom 0.11.3 on my server, I noticed my client who was using Freedoom 0.9 was able to connect with no issue at all, while it was seriously outdated.

As a result, it messed up the client view completely. Adding the MD5 hashes to the client & server didn't fix anything.

This is a huge security flaw, making any client with slightly modified IWADs be able to mess with the clients (or the other way around). Apparently, it was done in the past, but I don't seem to check anything about it in the source code.

Is it entirely normal ?
Comment 1 Maëllig Desmottes 2019-01-25 17:57:08 UTC 
Steps to reproduce :
1) Create 2 folders: one for the client, one for the server.
2) on the server, add Freedoom1.wad version 0.9 (easier to notice since maps are different) . Clientside, add Freedoom1.wad version 0.11.3.

3) Create a server (using the default config is enough) with Freedoom1.wad
4) Client should run it like that : Odamex.exe -connect localhost

The server accepts the client even if the IWAD is different.

HOWEVER, If you try to join using Odalaunch, it'll throw an error.