fred0r
commented
7 months ago sv_net_incoming_decompression_punish doesnt return any value in serverconsole?!
Closed s1lentq closed 2 months ago
fred0r
commented
7 months ago sv_net_incoming_decompression_punish doesnt return any value in serverconsole?!
fred0r
commented
7 months ago thx
fred0r
commented
7 months ago so when sv_allowupload 0, sv_net_incoming_* doesnt matter?
drag1c
commented
7 months ago Tested, both players were using GS Client, both got kicked with message Malformed/abnormal compressed data. Used default values for cvars.
s1lentq
commented
7 months ago Tested, both players were using GS Client, both got kicked with message Malformed/abnormal compressed data. Used default values for cvars.
Try raise value of the cvar sv_net_incoming_decompression_max_ratio by step +1.0 until false positives is gone
p.s can you capture incoming traffic into pcap format from these clients and share it to my mail?
s1lentq
commented
7 months ago so when
sv_allowupload 0,sv_net_incoming_*doesnt matter?
sv_allowupload allows you to upload file fragments, but this PR coverage only normal fragments, so it doesn't matter
drag1c
commented
7 months ago Tested, both players were using GS Client, both got kicked with message Malformed/abnormal compressed data. Used default values for cvars.
Try raise value of the cvar
sv_net_incoming_decompression_max_ratioby step +1.0 until false positives is gonep.s can you capture incoming traffic into pcap format from these clients and share it to my mail?
a bit challenging but I will try, just to catch guys who had issue.
RauliTop
commented
2 months ago @s1lentq Just write you to clarify about this. The information here exposed is probably too much technical. We need more simple explanation.
When the decompression is being used? I mean, what clients use it. For example, on GSClient, is working without decompression too?
How about if I disable the main cvar. Can players enter in the server?
s1lentq
commented
2 months ago @s1lentq Just write you to clarify about this. The information here exposed is probably too much technical. We need more simple explanation.
Clients mainly use compression (and as a result, decompression on server side) when precaching resources to reduce the size of the packet. In-game stage, compression isn't used much.
When the decompression is being used? I mean, what clients use it. For example, on GSClient, is working without decompression too? How about if I disable the main cvar. Can players enter in the server?
All clients without exception, use compression. If decompression is disabled, those clients won't be able to connect to server because the server won't be able to handle them anymore It's not really a good idea to set sv_net_incoming_decompression to 0, this CVar there added for technical reasons
This PR enhance security by controlling the decompression of incoming network data buffer to avoid server hangs and another potential risks associated with zip bomb attacks.
Added network security CVars:
sv_net_incoming_decompression(0-1) Enables or disables incoming data decompression. Default: 1sv_net_incoming_decompression_max_ratio(0.0 - 100.0) Sets max allowed ratio between compressed and decompressed data. (A ratio close to 90 indicates large uncompressed data with low entropy, this means abnormal compressed data which can cause server to hang). Default: 80sv_net_incoming_decompression_max_size(16-65536) Adjusts max size in bytes of output data after decompression. Default: 65536sv_net_incoming_decompression_punishTime in minutes for which the player will be banned for malformed/abnormal bzip2 fragments (0 - Permanent, use a negative number for a kick). Default: -1