[kovarex] [1.1.21] Crash of server when scrolling blueprint book during sync
Posted: Sat Feb 13, 2021 7:34 am
a bug
What works:The server crashes.
(vector detected and tested around 1.1.6 / Dec 2020)
err how?
just copy your bp storage 4mb+ to a second file, wipe the main one, join the server,
make a book you can scroll with a wheel pretty fast, (3+ prints),
put a book to your fast slot (WITHOUT COPYING IT; it has to refer to global lib)
(and yup you need to use a headless server so that "latency" is >0.000).
Now disconnect and swap bp to the BIG one, Join back. And while it is still in SYNC-bp-lib state start scrolling the book through with your wheel pretty fast.
The server should go down in seconds.
How to do it?
Here's a video for ya:
PoC YouTube video of a full MWE
I have the permission to go public on this in DM on this forum.
I have reported it before but with fewer details on how-to. (pretty long ago, not just yesterday)
The bug was also tested (once)
(night time)(sorry guys if got you any harm, the server save was requested, warnings issued, thanks Hana)
For server admins:
thanks to 1.1.9 patch (some client side fixes) logs show at least something! but it is still pretty unclear on "who exactly did this". However the method shown in video (no packet sniffers/gates) only works a few seconds after the sync of prints have started.So temporal whitelists bots or a hard limit on map-download slots should mitigate the uncertainty on "who did this" quite a lot.
You don't have to nor need to set those limits but well just in case you need to do something real quick right this moment this is a possible hardening answer.
