This update patches a crash exploit circulating for CSGO SRCDS. This
affected both official and community servers. Since this update came
with no documentation for server owners, I'd thought I'd do some
documentation myself.
The crash worked by using a malicious client to run the ConCommand
"setinfo" in rapid succession for a period of time. Malicious commands
were in the format "setinfo %d %d" where %d was an incrementing
integer. On low-memory configurations, SRCDS could run out of heap
space, or cause high CPU usage - enough to lag the server.
This memory and resource exhaustion worked because a) setinfo iterated
every registered ConCommand looking for one with the same name as the
first parameter, which would block, b) if none exists, a new one is
created with the specified name and value on the heap, and c) each
unique run of setinfo would cause step (a) to take longer, thereby
consuming more resources.
Prior to this patch, mitigation was possible with SourceMod plugins that
rate-limited ConVars. SourceMod Anti-Cheat had this capability, among
other plugins. Vanilla servers were doneskies.
*Most servers will be unaffected by this patch.* If your server, for
whatever reason, needs to use setinfo or FCVAR_USERINFO in the middle of
the game, then you must selectively whitelist allowed userinfo keys by
defining the FCVAR_USERINFO ConVar on connection. This can be done
quite easily on SourceMod.
1. Listen for OnClientConnect events.
2. Define a new ConVar with the specified key name with flag
FCVAR_USERINFO (9).
Regards,
Brendan H
Senior Software Engineer
Platinum Digital Group LLC
On 3/21/2016 16:52 PM, Vitaliy Genkin wrote:
An optional server stability update for CS:GO has been released. It is
recommended for server operators to update servers with PatchVersion=1.35.2.9
to the latest build ServerVersion=310.
Community servers that need clients to upload changes to their userinfo entries
during gameplay must set all allowed server-side userinfo setting keys when
processing client connect.
GL HF!
_______________________________________________
Csgo_servers mailing list
[email protected]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
_______________________________________________
Csgo_servers mailing list
[email protected]
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/csgo_servers
