#######################################################################

                             Luigi Auriemma

Application:  Soldier of Fortune II
              http://www.ravensoft.com/soldier2.html
Versions:     1.02x and 1.03
Platforms:    Windows, Linux and Mac
Bug:          bad memory access
Exploitation: remote, versus server (in-game)
Date:         29 Jun 2005
Author:       unknown, found in the wild and reported to me by two
              admins
Advisory:     Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Soldier of Fortune II is a widely played FPS game developed by Raven
Software (http://www.ravensoft.com) and published by Activision
(http://www.activision.com).
It has been released at May 2002.


#######################################################################

======
2) Bug
======


The /ignore command is used for saying to the server that we (the
client) don't want to receive the messages of a specific user.
The command is followed by a number that identifies the ID of the
client we want to ignore.
This client ID is then used by the server for positioning into the
g_entities array composed by 1024 entities so if we specify a big ID
like 123456789 the server will crash immediately because it tries to
access a zone of memory not allocated.

This is an in-game bug so the bug cannot be exploited if the attacker
is banned or the server is protected by a password not known by him.


#######################################################################

===========
3) The Code
===========


Join a server and from the game console (~ key) type:

  /ignore 123456789


#######################################################################

======
4) Fix
======


The game is no longer supported so there is no official fix.

The correct way for removing the problem is patching the bug into the
latest SDK available for the game (1.02 + 1.03) and recompiling it.
The patch consists in the adding of the following instruction in
g_cmds.c after "ignoree = atoi( buffer );" at line 1962:

  if((unsigned)ignoree >= MAX_GENTITIES) return;

It's enough to compile only the game folder (game.bat) and then zip the
file vm\sof2mp_game.qvm in a new pk3 file like update_fix.pk3.

Instead another and probably simplest way is just that of modifying the
file vm\sof2mp_game.qvm removing the /ignore command.
The easy step-by-step is explained here:

  http://aluigi.org/patches/q3lamefix.txt


#######################################################################