Calling Host_Error at this stage will cause a dead lock. Removed the call after performing several test (i think the reason all error calls are removed as of Titanfall 2 and Apex Legends (compared to Titanfall 1) is for this reason). Returning false does the job and allows the client to recover as soon as a valid packet comes in.
Implement bounds check for non-sanitized value of u.m_nNewEntity.
Debug builds of the engine have an assertion, however in release these are stripped.
This fixes a full chain client RCE exploit, for more information, see: https://ctf.re/source-engine/exploitation/2021/05/01/source-engine-2/
Client's can run string commands on the server with no rate limit. This means when you run 50k+ commands that are unknown, or spam 30k 'status' commands, you will be able to hang the server for 800/1200ms (15k/30kms if script printing to console is enabled!). Although the netchan processing budget system will kick you, the damage has already been done at this point. This change effectively breaks the ability to DOS the server from the client using networked string commands.
In easier words; binding 'status' to your mousewheel will get you kicked from the server, without hitching the server.
* Check if m_MessageHandler is removed before running limit test.
* Add warning DevMsg if client exceeds value.
* Default 'net_processTimeBudget' value to '200'.
* Use 'CClient::Disconnect(..)' for all kicks and bans (this automatically clears the entire CClient slot, and removes the net channel).
* Only force disconnect when 'CNetChan::m_nSignonState' has a value that is not NULL.
* Clear the ServerPlayer slot on 'CClient::Disconnect(..)' and 'CClient::Connect(..)'.
* Only kick player for NetChannel overflow when value exceeds processing budget (not equals).
Implement net message process budget (channel gets removed if value is exceeded).
Use 'net_processLimit' to enable the implementation on the server. It will get enabled by default after testing and some cleanup. This helps against people trying to slow the server down by spamming net messages with a higher rate, e.g. using 'bind "mousewheel_up" "status"'.
Removed extraneous 'FCVAR_SERVER_CAN_EXECUTE' flag. We disconnect clients using 'CClient::Disconnect(..)', relying on the client is useless without an anti-cheat and anti-tamper. Client can still use this to disconnect on its own though.
'migrateme' seemed useless as well, removed 'FCVAR_SERVER_CAN_EXECUTE'.
This makes all 'FCVAR_SERVER_CAN_EXECUTE' require 'FCVAR_DEVELOPMENTONLY' to be stripped, in order to execute without the '-devsdk' parameter (development launch arg),
This should allow users to host dedicated servers without looking back, as you should reload/restart a server every 3 hours (a full process restart is the most recommended option, but a 'soft' reload works like a charm most of the time).
We reset the idle name in HS_GAME_SHUTDOWN, but the restart command callback uses the name field to 'map' into the same map (restarting), which causes issues when we reset it to 'server_idle'.
Changed behavior to only reset name (non recursive) if we are running but do not have an active game.
* Replaced the boolean 'fatal' parameter with a error code parameter, anything non-null will prompt a message (fatal) and terminate the process with given error code.
* Fixed bug where the global ostreamsink for spdlog did NOT get cleared in 'SQVM_PrintFunc' when cvar 'sq_showvmoutput' was < 3. Moved to global scope.
* Added error message for when detouring the process has failed, with the error code.
* Only call 'Plat_GetProcessUpTime()' once per log, (improves performance and fixes bug where the error message box would show a different time stamp than what is logged into the console or file).
* All TIER0 loggers only log to notify and console when the SDK engine has fully initialized and detoured all functions.
* Fade notify text by a fixed amount regardless of the frame times.
* Implement Valve's 'lerping' animation for text when entries fade away and expire.
* Don't run/push/remove anything if 'con_drawnotify' is disabled.
Bool is a char on this platform, and UINT8_MAX is 0xff (255), yet we set this char to 256 causing arithmetic overflow. Looking at the assembly of the game, this really is a uint16_t, and gets set to 256 in CHostState::Init, parsed to State_NewGame as 256 before the lowbyte is being reset to 0.
* Installed change callback 'NET_UseRandomKeyChanged_f' for cvar 'net_useRandomKey' (when set, it will generate a random key as this is needed when this is enabled!).
* Fixed bug where multiple of the same entries get added to the global ban/refuse list.
* Fixed bug where we still use the client instance after deleting it in 'CBanSystem::BanListCheck()'.
* Load banlist at a later state (not at construction of class), this is needed for a future change of adapting the 'business' code to feature the game's FileSystem.
* CServer cleanup.
* More detailed ban messages (banned, added to refused list, removed from slot, etc..).
* Use localization key for banned message ("#Valve_Reject_Banned").
* Add const qualifiers to all CPylon methods.
Note:
* This commit requires changes on the master server, these changes are already performed, however the new master server isn't live yet until we publish the new release.
* Run 'CHostState::Think()' in the main thread.
* Construct 'NetGameServer_t' objects in main thread before dispatching (TODO: browser).
* Dispatch the call to 'CBanSystem::AddConnectionRefuse' from 'SV_IsClientBanned' to the main thread if we aren't main.
* Return bool for CBanSystem::AddEntry and CBanSystem::DeleteEntry for future optimizations (next commit).
* Only run '_DownloadPlaylists_f()' in the main thread, schedule for next frame if we aren't in the main thread. (this should fix crash cases related to disconnecting from the game).
* Locked read/write to CBrowser members (thread for obtaining the server list is detached, but once the 'slow' post operation in this thread is complete, mutex lock is acquired (locking the render thread if the browser is active) to set the string members of CBrowser, this operation is very fast as we only set the string and the color after the http post operation (this never caused a crash, but the behavior without any lock mechanism is technically undefined regardless).
* Obtain the host name dynamically from the ConVar 'pylon_matchmaking_hostname' (atomic operation). Initial approach was deleting the whole master server pointer just to construct a new httpclient object..
When fatal is set, the function will show a error dialogue, which will halt the process and close when the message is dismissed. Else we will end up in a crash.
Run all Cbuf_Execute calls in the main thread. This should fix every problem related to (but not only):
* Connecting to server while RUI dialogue is still open.
* Connecting to server while in an active game.
* Running 'weapon_reparse'.
* Fix all compiler error for GameSDK on S0 and S1.
* Remove some unused patterns and globals (launch performance gains of 100ms).
* Remove most duplicate patterns.
* Relocate globals from engine to a more appropriate location.
* Renamed some unknown vars to a more appropriate name (most of these where obtained a while back, but as we reversed more parts of the engine, some of these vars become known).
* Renamed some vars to fit the naming convention used in the SDK.
* Fixed pattern debug logging using the wrong pointer, thus displaying the wrong address.
