This is a security patch for UT v451 servers. The vulnerability is described here: http://aluigi.altervista.org/adv/unreliable-adv.txt

The UT v440/451 windows and linux servers are affected by this vulnerability. UT v436 is immune. This patch only works on v451 servers. Do NOT install it on v440/436 servers. Due to the nature of the function that contains the vulnerability, I cannot fix this externally in ServerCrashFix. The only way to fix this properly is to edit the source code (but it doesn't look like that's going to happen). This patch doesn't fix the vulnerability, it simply prevents the server from crashing.

Installation:

* Shut down the server.
* If you run linux, replace Engine.so with the file attached to this post. If you run windows, replace Engine.dll.
* Restart the server.

For Unreal Engine licensees:

In UnChan.cpp, UChannel::ReceivedRawBunch:

Replace:

checkSlow(NumInRec<=RELIABLE_BUFFER);

With:

if (NumInRec>=RELIABLE_BUFFER-1)
{
Connection->State = USOCK_Closed;
}




#######################################################################

                             Luigi Auriemma

Application:  Unreal engine
              http://www.unrealtechnology.com
Games:        Raven Shield, Deus Ex, Land of the Dead, Postal 2, Rune,
              Shadow Ops, Unreal 2, Unreal Tournament, Unreal
              Tournament 2003, WarPath, XIII and possibly other games
              based on the old versions of the Unreal engine (1, 2)
Platforms:    Windows, Linux, MacOSX
Bug:          failed assertion
Exploitation: remote, versus server
Date:         15 Jul 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Unreal engine is the game engine developed by Epic Games
(http://www.epicgames.com) and used in many famous commercial games of
which the main example is just the lucky Unreal Tournament series.


#######################################################################

======
2) Bug
======


This advisory is only a reference to keep this bug tracked because the
affected games are enough old although still played.

The engine uses a particular assertion in the ReceivedRawBunch function
for handling the data in the incoming packets.
Such assertion is "NumInRec<=RELIABLE_BUFFER" and can be exploited
though the sending of a number of packets major than RELIABLE_BUFFER
(128) using a sequential number different than the expected one.

The effect for the games that implement this assertion is their
immediate termination, while there are a couple of games (Unreal 1 and
SWAT4) that simply report the failed assertion in the console without
bad effects.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/fakep/unrealfp.zip

  unrealfp -B 1 SERVER PORT


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
