Off-by-one bug in Halo 1.04

Type securityvulns
Reporter Securityvulns
Modified 2004-09-10T00:00:00


                         Luigi Auriemma

Application: Halo: Combat Evolved Versions: <= 1.4 Platforms: Windows and MacOS Bug: off-by-one (Denial of Service) Risk: medium/high Exploitation: remote, versus server Date: 09 September 2004 Author: Luigi Auriemma e-mail: web:

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

Halo is the widely known game originally developed by Bungie Studios and ported on PC by Gearbox Software ( It has been released in September 2003.

====== 2) Bug ======

Halo uses the Gamespy SDK and moreover the handshake algorithm provided in this library ( to let players to join servers.

The off-by-one bug is located just in the client's response (the last stage of this handshake) because if it is longer than 32 bytes causes the immediate crash of the server.

=========== 3) The Code ===========

====== 4) Fix ======

Patch 1.05 for both Win32 and MacOS.

Luigi Auriemma