Halflife: mp3 commands can crash dedicated servers
The mp3 command can be used to crash dedicated servers. Entering this will crash: mp3 play foo. This same command will not crash when running the client.
This is the exception message received when running HLDS under a debugger:
Exception thrown at 0x774FDE33 (ntdll.dll) in hlds.exe: 0xC0000005: Access violation writing location 0x00000014.
Part of the call stack:
> ntdll.dll!RtlpWaitOnCriticalSection() Unknown
ntdll.dll!RtlpEnterCriticalSectionContended() Unknown
ntdll.dll!_RtlEnterCriticalSection@4
() Unknown
swds.dll!02898122() Unknown
[Frames below may be incorrect and/or missing, no symbols loaded for swds.dll] Unknown
swds.dll!028971d5() Unknown
AdminServer.dll!039cecd1() Unknown
swds.dll!02975119() Unknown
the probable cause is CThread::AddThreadItem trying to lock a mutex that hasn't been initialized. The mutex is initialized in CThread::Init, called from CDAudio_Init, itself called if running as a client in Host_Init.
Servers don't support audio playback in general so either the command shouldn't be registered or checks should be added to prevent use of uninitialized variables, especially something as important as a mutex.
Solokiller
All 10 comments
It looks like that command should be compiled out of HLDS but it relies on the engine library to do that rather than HLDS doing it. On macOS/Linux we make separate engine builds for the client and HLDS so the version of the engine HLDS uses there has different symbols defined in the engine build leading to this and other commands properly being compiled out. On Windows HLDS uses the same engine library that the client does leading to these commands being included.
Since I don't want to do anything too tumultuous without having more details I'll just add a check for mp3 for now that prevents running it in HLDS. It might also be worth testing other things to see if they work in HLDS when they shouldn't.
mikela-valve
on 14 May 2019
The cd command is also subject to this, it does the same things that mp3 does so the same check is needed there. I don't see any other commands that could be exploited like this, but i haven't checked them all.
Solokiller
on 14 May 2019
I disabled all of the commands registered in Host_Init that shouldn't be for dedicated servers.
This includes:
- cd
- mp3
- _careeraudio
- _setrenderer
- _setvideomode
- _setgamedir
- _sethdmodels
- _setaddons_folder
- _set_vid_level
- +voicerecord
- -voicerecord
- god
- notarget
- fly
- noclip
- viewmodel
- viewframe
- viewnext
- viewprev
mikela-valve
on 15 May 2019
@mikela-valve and these are just as useless in host_init for " dedicated server"
clear
cmd
toggleconsole
demos
reconnect
viewdemo
load
save
autosave
startdemos
unbind
bind
unbindall
playdemo
SkillartzHD
on 15 May 2019
Cheat commands like god should not be disabled since they are forwarded from clients to the server.
Solokiller
on 15 May 2019
@SamVanheer After testing and checking the command handler for god I agree with you. The list I provided was derived from commands that would be conditionally compiled out were that module compiled correctly for HLDS, so it looks like a number of commands were likely erroneously excluded but not noticed since they would still be included on Windows.
Just for comparison I checked with hlds_linux and it does not have them as I thought would be the case, so it looks like a larger survey needs to be taken of which commands should not be available to HLDS and which commands are currently available to HLDS on Windows that should be enabled on macOS/LInux as well.
mikela-valve
on 15 May 2019
Ok, I enabled god, notarget, fly and noclip for HLDS on all platforms.
@SkillartzHD I specifically disabled those commands as they were already marked to be disabled for HLDS but weren't properly being disabled on Windows. If any of those commands you posted crash or cause other weird effects when run on a dedicated server, I'd rather disable them on a case-by-case basis than all at once.
mikela-valve
on 16 May 2019
The _restart command also crashes dedicated server if it is running in console mode. In GUI mode, it does nothing.
Splatt581
on 18 May 2019
Fixed in beta 'Exe build: 11:11:54 May 21 2019 (8244)'.
mikela-valve
on 21 May 2019
Closing as fixed.
mikela-valve
on 6 Jun 2019
Related issues
BlackShadow
路
3Comments
BlackShadow
路
3Comments
perforatorRU
路
3Comments
twisterniq
路
4Comments
metita
路
3Comments
Most helpful comment
It looks like that command should be compiled out of HLDS but it relies on the engine library to do that rather than HLDS doing it. On macOS/Linux we make separate engine builds for the client and HLDS so the version of the engine HLDS uses there has different symbols defined in the engine build leading to this and other commands properly being compiled out. On Windows HLDS uses the same engine library that the client does leading to these commands being included.
Since I don't want to do anything too tumultuous without having more details I'll just add a check for mp3 for now that prevents running it in HLDS. It might also be worth testing other things to see if they work in HLDS when they shouldn't.