1. Hercules bug tracker archive
  2. eA Bug Archives
  3. equipping already equipped items

equipping already equipped items

Issue information

Issue ID
#3195
Status
Fixed
Severity
Critical
Started
Hercules Elf Bot
Jun 7, 2009 3:13
Last Post
Hercules Elf Bot
Jun 7, 2009 3:13
Confirmation
N/A

Hercules Elf Bot - Jun 7, 2009 3:13

Originally posted by [b]theultramage[/b]
http://www.eathena.ws/board/index.php?autocom=bugtracker&showbug=3195

There is a check missing to prevent a player from equpping an already equipped item - from the same inventory slot into two separate equip positions. The consequence is that the player temporarily receives all of the benefits of having the extra item equipped, until next base status recalc.

That an item can be equipped onto two inventory slots is possible due to how eathena stores equipped item information. Each inventory item has an 'equip' attribute that specifies an unique equip position. This is ok. However, there is also an 'equip_index' structure which for every equip position holds the inventory slot used. This is the culprit, since it allows multiply equipped items.

The scenario:
  1. player equips inventory item at offset I into position A
  2. server writes sd->inventory_data[I].equip, setting it to A
  3. server writes sd->equip_index[A], setting it to I
  4. player sends request to equip this same item into a compatible position B
  5. server overwrites sd->inventory_data[I].equip, changing it from A to B
  6. server writes sd->equip_index[B], setting it to I
  7. status_calc_pc(SCB_ALL) is invoked
  8. the 'equip_index' array is used to execute equipped item scripts, running script for position A and then for position B.
Consequence: The item's script runs twice.

Severity: Medium for now, since only the equip script buff is duplicated. Might count as exploit for some specific items though, examples needed.
Reproducibility: Always; requires either WPE or a somewhat inconvenient two-player interaction w/ @refresh usage (or alternatively, family/guildmaster recall).

In the non-wpe case,
  1. player opens a trade, puts in the item, and clicks confirm
  2. player uses @refresh (or asks for a recall) to make the trade window disappear
  3. partner completes the trade
  4. (player's client will ignore the 'trade finished' packet and will not visually erase the traded item)
  5. partner gives the item back
  6. item lands in the same inventory slot where it originally was
  7. client still thinks it has the item in that slot, so it will display as 'two' of the items, stacked
  8. now player can perform step 1] with 1ea of the item (real), and then step 4] with the remaining 1ea (fake) in the same inventory slot.


This post has been edited by theultramage: Aug 30 2009, 10:14 AM