Quest States Core Crash Item Dupe Bug Fix

  • This vulnerability should affect every server. You can duplicate item rewards, and also crash the server through dangling pointers.


    The danger of this bug escalates to how many custom systems, and how many crafting quests (for example, the vitality ore quest, not the cube system) you have in your server.


    How to trigger it:


    Any quest that uses select & wait, and the item lua module after that is vulnerable.

    After the server uses select() or wait(), the player's quest state is suspended. After the player replies using the CG packet, the quest state is recovered.


    So what's wrong with it? It doesn't verify if the stored quest item ptr expired.

    You basically need to destroy the selected item ptr in order to dupe the rewards of the quest. After some tries, you may get a core crash in the game. (dangling pointers often cause crashes only after that memory sector has been rewritten)


    In my files, I've checked (since several years ago) if the quest state was suspended for the the default windows such as exchange, cube, shop.

    This bug can work very easily on offline shops or other new systems that don't check that.

    After the select() or wait() is called, you send the selected item to the (e.g.) offlineshop system window. It will delete the item ptr in the game. Now, you can press "Ok" on the quest, and the quest will proceed as if the item still existed.


    The item still exists in the offlineshop, but not the item ptr anymore. The item won't be deleted by the quest even after item.remove() is called.


    This is the fix:




    Important: after this fix, the item ptr may be nullptr after they press enter, so you need to check if the item ptr is still valid by using this function:


    Code
    1. ALUA(item_is_available)
    2. {
    3. auto item = CQuestManager::instance().GetCurrentItem();
    4. lua_pushboolean(L, item != nullptr);
    5. return 1;
    6. }
    7. ...
    8. { "is_available", item_is_available }, // [return lua boolean]


    A way to protect your quests via other manipulations can be this:

    Please login to see this picture.

    Please login to see this link.
    Please login to see this picture.

  • This threads contains one more post that have been hidden for guests, please register yourself or log-in to continue reading.