Patch for cmd donedl and cmd vdr

Download patched binaries

Vulnerable functions

Both commands lead to resetting the player state. This is the original code from sv_client.c.

static void SV_ResetPureClient_f( client_t *cl ) {
	cl->pureAuthentic = 0;
	cl->gotCP = qfalse;

void SV_DoneDownload_f( client_t *cl ) {
	Com_DPrintf( "clientDownload: %s Done\n", cl->name );
	// resend the game state to update any clients that entered during the download
	SV_SendClientGameState( cl );


.text:0804F048 ; ---------------------------------------------------------------------------
.text:0804F049                 align 10h
.text:0804F050                 mov     eax, [esp+4]
.text:0804F054                 xor     ecx, ecx
.text:0804F056                 xor     edx, edx
.text:0804F058                 mov     [eax+546C8h], ecx
.text:0804F05E                 mov     [eax+546CCh], edx
.text:0804F064                 retn
.text:0804F064 ; ---------------------------------------------------------------------------
.text:0804EE70 ; ---------------------------------------------------------------------------
.text:0804EE70                 push    ebx
.text:0804EE71                 sub     esp, 8
.text:0804EE74                 mov     ebx, [esp+10h]
.text:0804EE78                 mov     dword ptr [esp], offset aClientdownload_5 ; "clientDownload: %s Done\n"
.text:0804EE7F                 lea     eax, [ebx+4884Ch]
.text:0804EE85                 mov     [esp+4], eax
.text:0804EE89                 call    sub_806D2C0
.text:0804EE8E                 mov     [esp+10h], ebx
.text:0804EE92                 add     esp, 8
.text:0804EE95                 pop     ebx
.text:0804EE96                 jmp     sub_804EB60
.text:0804EE96 ; ---------------------------------------------------------------------------


.text:0041F3B6 ; ---------------------------------------------------------------------------
.text:0041F3B7                 align 10h
.text:0041F3C0                 mov     eax, [esp+4]
.text:0041F3C4                 xor     ecx, ecx
.text:0041F3C6                 mov     [eax+546C8h], ecx
.text:0041F3CC                 mov     [eax+546CCh], ecx
.text:0041F3D2                 retn
.text:0041F3D2 ; ---------------------------------------------------------------------------
.text:0041F252 ; ---------------------------------------------------------------------------
.text:0041F257                 align 10h
.text:0041F260                 push    esi
.text:0041F261                 mov     esi, [esp+8]
.text:0041F265                 lea     eax, [esi+4884Ch]
.text:0041F26B                 push    eax
.text:0041F26C                 push    offset aClientdownload_6 ; "clientDownload: %s Done\n"
.text:0041F271                 call    sub_40C410
.text:0041F276                 push    esi
.text:0041F277                 call    sub_41EF50
.text:0041F27C                 add     esp, 0Ch
.text:0041F27F                 pop     esi
.text:0041F280                 retn
.text:0041F280 ; ---------------------------------------------------------------------------

The fix

Patch will let the original SV_ResetPureClient_f() happen only when the player's state is not CS_ACTIVE.

SV_DoneDownload_f() checks for downloadEOF or bWWWDl flag, which, when non-zero, is a proof that player has downloaded something. Once the donedl command is sent, those values get zeroed.


.text:0804F048 ; ---------------------------------------------------------------------------
.text:0804F049                 align 10h
.text:0804F050                 cmp     byte ptr [edi], 4
.text:0804F053                 jz      short locret_804F063
.text:0804F055                 push    eax
.text:0804F056                 mov     [edi+546C8h], al
.text:0804F05C                 mov     [edi+546CCh], al
.text:0804F062                 pop     eax
.text:0804F063 locret_804F063:                         ; CODE XREF: .text:0804F053↑j
.text:0804F063                 retn
.text:0804F063 ; ---------------------------------------------------------------------------
.text:0804EE70 ; ---------------------------------------------------------------------------
.text:0804EE70                 push    eax
.text:0804EE71                 add     eax, [edi+48908h]
.text:0804EE77                 add     eax, [edi+48A14h]
.text:0804EE7D                 cmp     eax, 0
.text:0804EE80                 pop     eax
.text:0804EE81                 jz      short locret_804EE9B
.text:0804EE83                 mov     dword ptr [edi+48908h], 0
.text:0804EE8D                 mov     byte ptr [edi+48A14h], 0
.text:0804EE94                 nop
.text:0804EE95                 nop
.text:0804EE96                 jmp     sub_804EB60
.text:0804EE9B ; ---------------------------------------------------------------------------

ETTV (Linux)

.text:08059131 ; ---------------------------------------------------------------------------
.text:08059133                 align 10h
.text:08059140 loc_8059140:                            ; CODE XREF: .text:08059131↑j
.text:08059140                 mov     eax, [esp+4]
.text:08059144                 cmp     dword ptr [eax], 4
.text:08059147                 jz      short locret_805915D
.text:08059149                 mov     dword ptr [eax+5474Ch], 0
.text:08059153                 mov     dword ptr [eax+54750h], 0
.text:0805915D locret_805915D:                         ; CODE XREF: .text:08059147↑j
.text:0805915D                 retn
.text:0805915D ; ---------------------------------------------------------------------------
.text:0805802D ; ---------------------------------------------------------------------------
.text:08058032                 db 90h
.text:08058033 ; ---------------------------------------------------------------------------
.text:08058033 loc_8058033:                            ; CODE XREF: .text:08058054↓j
.text:08058033                 pop     ebx
.text:08058034                 retn
.text:08058034 ; ---------------------------------------------------------------------------
.text:08058035                 align 2
.text:08058036 loc_8058036:                            ; CODE XREF: .text:0805806A↓j
.text:08058036                 pop     ebx
.text:08058037                 jmp     sub_8056800
.text:0805803C ; ---------------------------------------------------------------------------
.text:0805803C                 nop
.text:0805803D                 nop
.text:0805803E                 nop
.text:0805803F                 nop
.text:08058040                 push    ebx
.text:08058041                 nop
.text:08058042                 nop
.text:08058043                 nop
.text:08058044                 nop
.text:08058045                 nop
.text:08058046                 nop
.text:08058047                 nop
.text:08058048                 mov     eax, [ebx+48A14h]
.text:0805804E                 add     eax, [ebx+48908h]
.text:08058054                 jz      short loc_8058033
.text:08058056                 mov     dword ptr [ebx+48A14h], 0
.text:08058060                 mov     dword ptr [ebx+48908h], 0
.text:0805806A                 jmp     short loc_8058036
.text:0805806A ; ---------------------------------------------------------------------------
.text:0805806C                 db  90h
.text:0805806D ; ---------------------------------------------------------------------------


.text:0041F3B6 ; ---------------------------------------------------------------------------
.text:0041F3B7                 align 10h
.text:0041F3C0                 cmp     dword ptr [ebp+0], 4
.text:0041F3C4                 jz      short locret_41F3D8
.text:0041F3C6                 mov     eax, [esp+4]
.text:0041F3CA                 xor     ecx, ecx
.text:0041F3CC                 mov     [eax+546C8h], ecx
.text:0041F3D2                 mov     [eax+546CCh], ecx
.text:0041F3D8 locret_41F3D8:                          ; CODE XREF: .text:0041F3C4↑j
.text:0041F3D8                 retn
.text:0041F3D8 ; ---------------------------------------------------------------------------
.text:0041F252 ; ---------------------------------------------------------------------------
.text:0041F257                 align 4
.text:0041F258 loc_41F258:                             ; CODE XREF: .text:0041F284↓j
.text:0041F258                 pop     eax
.text:0041F259                 retn
.text:0041F25A ; ---------------------------------------------------------------------------
.text:0041F25A loc_41F25A:                             ; CODE XREF: .text:0041F286↓j
.text:0041F25A                 pop     eax
.text:0041F25B                 jmp     sub_41EF50
.text:0041F260 ; ---------------------------------------------------------------------------
.text:0041F260                 push    eax
.text:0041F261                 add     eax, [ebp+48908h]
.text:0041F267                 mov     dword ptr [ebp+48908h], 0
.text:0041F271                 add     eax, [ebp+48A14h]
.text:0041F277                 mov     dword ptr [ebp+48A14h], 0
.text:0041F281                 cmp     eax, 0
.text:0041F284                 jz      short loc_41F258
.text:0041F286                 jmp     short loc_41F25A
.text:0041F286 ; ---------------------------------------------------------------------------

There are multiple versions of etded binaries in the wild thanks to previous patches. You can apply the patch to your own binary using this script.