Closed s1lentq closed 2 months ago
sv_net_incoming_decompression_punish
doesnt return any value in serverconsole?!
thx
so when sv_allowupload 0
, sv_net_incoming_*
doesnt matter?
Tested, both players were using GS Client, both got kicked with message Malformed/abnormal compressed data. Used default values for cvars.
Tested, both players were using GS Client, both got kicked with message Malformed/abnormal compressed data. Used default values for cvars.
Try raise value of the cvar sv_net_incoming_decompression_max_ratio
by step +1.0 until false positives is gone
p.s can you capture incoming traffic into pcap format from these clients and share it to my mail?
so when
sv_allowupload 0
,sv_net_incoming_*
doesnt matter?
sv_allowupload allows you to upload file fragments, but this PR coverage only normal fragments, so it doesn't matter
Tested, both players were using GS Client, both got kicked with message Malformed/abnormal compressed data. Used default values for cvars.
Try raise value of the cvar
sv_net_incoming_decompression_max_ratio
by step +1.0 until false positives is gonep.s can you capture incoming traffic into pcap format from these clients and share it to my mail?
a bit challenging but I will try, just to catch guys who had issue.
@s1lentq Just write you to clarify about this. The information here exposed is probably too much technical. We need more simple explanation.
When the decompression is being used? I mean, what clients use it. For example, on GSClient, is working without decompression too?
How about if I disable the main cvar. Can players enter in the server?
@s1lentq Just write you to clarify about this. The information here exposed is probably too much technical. We need more simple explanation.
Clients mainly use compression (and as a result, decompression on server side) when precaching resources to reduce the size of the packet. In-game stage, compression isn't used much.
When the decompression is being used? I mean, what clients use it. For example, on GSClient, is working without decompression too? How about if I disable the main cvar. Can players enter in the server?
All clients without exception, use compression. If decompression is disabled, those clients won't be able to connect to server because the server won't be able to handle them anymore It's not really a good idea to set sv_net_incoming_decompression to 0, this CVar there added for technical reasons
This PR enhance security by controlling the decompression of incoming network data buffer to avoid server hangs and another potential risks associated with zip bomb attacks.
Added network security CVars:
sv_net_incoming_decompression
(0-1) Enables or disables incoming data decompression. Default: 1sv_net_incoming_decompression_max_ratio
(0.0 - 100.0) Sets max allowed ratio between compressed and decompressed data. (A ratio close to 90 indicates large uncompressed data with low entropy, this means abnormal compressed data which can cause server to hang). Default: 80sv_net_incoming_decompression_max_size
(16-65536) Adjusts max size in bytes of output data after decompression. Default: 65536sv_net_incoming_decompression_punish
Time in minutes for which the player will be banned for malformed/abnormal bzip2 fragments (0 - Permanent, use a negative number for a kick). Default: -1