Skip to content

fix(logic): Improve validation of MSG_DO_SPECIAL_POWER and variants in GameLogicDispatch#2380

Open
stephanmeesters wants to merge 3 commits intoTheSuperHackers:mainfrom
stephanmeesters:fix/gamelogicdispatch-specialpower
Open

fix(logic): Improve validation of MSG_DO_SPECIAL_POWER and variants in GameLogicDispatch#2380
stephanmeesters wants to merge 3 commits intoTheSuperHackers:mainfrom
stephanmeesters:fix/gamelogicdispatch-specialpower

Conversation

@stephanmeesters
Copy link

@stephanmeesters stephanmeesters commented Mar 2, 2026

This PR improves the stability of network games by validating the origin of source objects in MSG_DO_SPECIAL_POWER and related MSG variants in GameLogicDispatch. Tested on ~1k replays.

Todo

  • Replicate in Generals

@greptile-apps
Copy link

greptile-apps bot commented Mar 2, 2026
edited
Loading

Greptile Summary

This PR improves network game stability by adding player-ownership validation to four MSG_DO_SPECIAL_POWER message handlers in GameLogicDispatch. Before executing a special power for a specific source object, each handler now verifies that the source is controlled by the issuing player, breaking out of the dispatch with a DEBUG_CRASH diagnostic if the check fails. The pattern is consistent with existing ownership guards elsewhere in the same file (e.g. MSG_DO_EXIT, MSG_DO_UPGRADE, MSG_DO_SELL).

  • Four identical validation blocks added for MSG_DO_SPECIAL_POWER, MSG_DO_SPECIAL_POWER_AT_LOCATION, MSG_DO_SPECIAL_POWER_AT_OBJECT, and MSG_DO_SPECIAL_POWER_OVERRIDE_DESTINATION.
  • Each block correctly breaks out of the switch on failure, preventing the AI group command from being issued.
  • The DEBUG_CRASH format string in every block eagerly dereferences source->getControllingPlayer() — if that returns nullptr (neutral/unowned object), the diagnostic itself will crash before printing in debug builds; a local null-check on the controller pointer would be safer.

Confidence Score: 4/5
  • This PR is safe to merge; the validation logic is correct and consistent with existing patterns, with only a minor debug-only null-safety concern in the diagnostic message.
  • The four validation blocks are structurally identical, follow established conventions in the file, and the break correctly exits the switch in both debug and release builds. The only concern is the eager evaluation of source->getControllingPlayer()->getPlayerDisplayName() inside DEBUG_CRASH, which could produce a secondary null dereference in debug builds if the source object has no owner. This does not affect release builds and the author reports successful testing on ~1k replays.
  • No files require special attention beyond the minor debug-message null-safety note in GameLogicDispatch.cpp.

Important Files Changed
Filename Overview
GeneralsMD/Code/GameEngine/Source/GameLogic/System/GameLogicDispatch.cpp Adds four identical ownership-validation blocks for MSG_DO_SPECIAL_POWER and variants; logic is sound and consistent with existing patterns in the file, but the DEBUG_CRASH message arguments dereference the result of getControllingPlayer() without a null guard, risking a secondary crash in debug builds if the source object has no controlling player.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["logicMessageDispatcher(msg)"] --> B["thisPlayer = getNthPlayer(msg->getPlayerIndex())"]
    B --> C{MSG type?}
    C --> D["MSG_DO_SPECIAL_POWER\nMSG_DO_SPECIAL_POWER_AT_LOCATION\nMSG_DO_SPECIAL_POWER_AT_OBJECT\nMSG_DO_SPECIAL_POWER_OVERRIDE_DESTINATION"]
    D --> E["source = findObjectByID(sourceID)"]
    E --> F{source != nullptr?}
    F -- No --> G["Use currentlySelectedGroup"]
    F -- Yes --> H{"source->getControllingPlayer()\n== thisPlayer?"}
    H -- No --> I["DEBUG_CRASH diagnostic\n+ break (exit switch)"]
    H -- Yes --> J["Create AIGroup\nadd(source)\ngroupDoSpecialPower(...)"]
    J --> K["Destroy / removeAll AIGroup"]
Loading

Last reviewed commit: 1b37cba

greptile-apps[bot]
greptile-apps bot reviewed Mar 2, 2026
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, 5 comments

Edit Code Review Agent Settings | Greptile

@Skyaero42
Copy link

Skyaero42 commented Mar 3, 2026

Does this resolve an actual bug/crash or is it solving a potential issue in the future?

@xezon xezon added Major Severity: Minor < Major < Critical < Blocker Gen Relates to Generals ZH Relates to Zero Hour Fix Is fixing something, but is not user facing labels Mar 3, 2026
xezon
xezon reviewed Mar 3, 2026
View reviewed changes
Copy link

@xezon xezon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very important fix.

Can you do more audits over other messages for follow ups?

For example GameMessage::MSG_ENTER has no player check but GameMessage::MSG_EXIT does.

@stephanmeesters
Copy link
Author

stephanmeesters commented Mar 3, 2026

Can you do more audits over other messages for follow ups?

Yes I should have some follow up PR's ready soon

xezon
xezon reviewed Mar 4, 2026
View reviewed changes
GeneralsMD/Code/GameEngine/Source/GameLogic/System/GameLogicDispatch.cpp
if (source != nullptr)
{
// TheSuperHackers @fix stephanmeesters 01/03/2026 Validate the origin of the source object
if ( source->getControllingPlayer() != thisPlayer )
Copy link

@xezon xezon Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more thought on this: This would cause mismatch if someone cheated, for example with Control Hack. Are we ok with this?

It probably needs to go behind RETAIL_COMPATIBLE_CRC for the upmost correctness

Copy link
Author

@stephanmeesters stephanmeesters Mar 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO mismatch is desirable here, and would be nice if the first release can have all these cases solid so it's a more "trustworthy" client (although, it doesn't actually communicate around that it did a good thing..)

Copy link

@xezon xezon Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we decide to go that route, then at least put a commented // #if RETAIL_COMPATIBLE_CRC and explain why we accept this mismatch.

Copy link

@Caball009 Caball009 Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO mismatch is desirable here,

I agree. It's also consistent with all the other places that already check for the controlling player to prevent blatant abuse.

My only mild concern is that we may run into replays that mismatch because of this, and it's going to take time and effort to find out why they started to mismatch.

@stephanmeesters stephanmeesters mentioned this pull request Mar 5, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xezon xezon xezon left review comments

@Caball009 Caball009 Caball009 left review comments

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Fix Is fixing something, but is not user facing Gen Relates to Generals Major Severity: Minor < Major < Critical < Blocker ZH Relates to Zero Hour

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@stephanmeesters @Skyaero42 @xezon @Caball009