#######################################################################

                             Luigi Auriemma

Application:  Medieval Total War
              http://www.totalwar.com
Versions:     <= 1.1
Platforms:    Windows
Bug:          Remote crash of server and attached clients caused by
              long nickname
Date:         07 Oct 2003
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Medieval Total War is a real-time strategy game available on PC and is
developed by Creative Assembly (http://www.creative-assembly.co.uk) and
published by Activision (http://www.activision.com).
It has been released in August 2002.


#######################################################################

======
2) Bug
======


The MTW's players have access to the server only in a specific moment
and not during the execution of the game.
This moment is the Lobby screen before the starting of the match where
all the players can join.

The bug is in the management of the nicknames sent by the clients, in
fact a nickname longer than 76 unicode chars causes the immediate crash
of the server and of all the connected clients.

The problem seems to be in the access to unreachable memory, and the
following is the instruction where happens the crash (using 76 chars):

:0x6b96f8     mov    eax,DWORD PTR [edx]

Both EAX and EDX are equal to 0.


Longer nicknames cause exceptions in other instructions but the problem
is ever the access to unreachable memory.

In my tests doesn't seem possible to execute code because the registers
that are overwritten by the data are not important to change the
execution flow.


Side note: on Win98SE I have seen that a very long nickname (at least
250 unicode chars) causes a blue screen of the death.


#######################################################################

===========
3) The Code
===========


I have written a simple proof-of-concept that also lets you to specify
the amount of unicode chars to use in the nickname field.
Use a number major or equal than 76:

http://aluigi.org/poc/mtwdos-server.zip


#######################################################################

======
4) Fix
======


No fix.
I have contacted Creative Assembly a lot of months ago but they didn't
have the resources to patch these bugs.


#######################################################################