SFS Pro 1.6.18 patch bug

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

Mhollow
Posts: 24
Joined: 22 Feb 2012, 06:29
Location: Russia

SFS Pro 1.6.18 patch bug

Postby Mhollow » 14 Jan 2017, 11:23

It seems i've found a bug in SFS 1.6.18 patch.
This patch has got new feature:
- Added more severe policy for malformed packets (XML, JSON and string based). Malformed requests will cause immediate client disconnection.
The bug itself:
In case such malformed packet arrives, SFS drops it and closes the socket but does not release a user "slot" assigned for it.
It leads to max. available user room overflow (for e.q for a trial SFS version - only 20 simultaneously users available) and SFS stops accept new connections.
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SFS Pro 1.6.18 patch bug

Postby Lapo » 16 Jan 2017, 15:57

Thanks, I've opened a ticket with your report.
We're investigating and I'll report back soon.

Stay tuned.
Lapo
--
gotoAndPlay()
...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SFS Pro 1.6.18 patch bug

Postby Lapo » 17 Jan 2017, 14:48

UPDATE: we're not sure how to reproduce this.
Can you please send us a proof of concept of how to recreate the issue? You can use our support@... email box.

Thanks
Lapo

--

gotoAndPlay()

...addicted to flash games
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SFS Pro 1.6.18 patch bug

Postby Lapo » 26 Jan 2017, 16:23

I would have preferred you sent us an email.
If there's a way to attack the server it's best not to describe how it's done step by step in a public forum :shock: :wink:

Anyways thanks for the details, we'll investigate and let you know.
Lapo

--

gotoAndPlay()

...addicted to flash games
ransaymour
Posts: 27
Joined: 20 Jun 2016, 18:30

Re: SFS Pro 1.6.18 patch bug

Postby ransaymour » 27 Jan 2017, 17:00

It also happens to my server
But this happens only if the client sends a lot of requests to the extension so the server kicking the room visits :cry:
Last edited by ransaymour on 27 Jan 2017, 17:12, edited 2 times in total.
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SFS Pro 1.6.18 patch bug

Postby Lapo » 27 Jan 2017, 17:02

We're working on a patch to be release next week.
I'll post more details here as we progress.

cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
ransaymour
Posts: 27
Joined: 20 Jun 2016, 18:30

Re: SFS Pro 1.6.18 patch bug

Postby ransaymour » 27 Jan 2017, 17:12

Thank you
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SFS Pro 1.6.18 patch bug

Postby Lapo » 30 Jan 2017, 10:28

UPDATE:
Here is patch 1.6.19
Please download it and apply to your local environment, then see if you can still reproduce the problem.
From our end the problem seems solved.

Thanks
Lapo

--

gotoAndPlay()

...addicted to flash games
Mhollow
Posts: 24
Joined: 22 Feb 2012, 06:29
Location: Russia

Re: SFS Pro 1.6.18 patch bug

Postby Mhollow » 01 Feb 2017, 06:09

Thanks for the patch, I've applied it, but I can't confirm that the problem is completely solved.
At the scenario that I described early, (where the are two sockets are involved) the SFS now closes the connected socket from the malformed message come and not performs login procedure following by the malformed message, but NOT IN ALL CASES. When this happens very fast in a loop-cycle, the valid user authentication procedure still take in place eventually (may be for 1 in 100-200 iterations, and the available users room storage is still could be overflowed .
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SFS Pro 1.6.18 patch bug

Postby Lapo » 01 Feb 2017, 08:57

I am not sure how to reproduce this, but I have another consideration and it is about the lack of a login validation.
Without a login credential check you're leaving the door open for abuse, because the potential attacker can spam the server knowing that any user will be accepted.

To me this seems like the bigger issue in the scenario you have described.

In any case if you have a script or proof of concept that can reproduce the issue we'll be happy to look into this further.
Lapo

--

gotoAndPlay()

...addicted to flash games
garryjoshi
Posts: 1
Joined: 26 Feb 2018, 12:38

Re: SFS Pro 1.6.18 patch bug

Postby garryjoshi » 26 Feb 2018, 12:40

SmartFoxServer Pro is constantly crashing. I've the error logs where am I supposed to send it @Lapo?
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SFS Pro 1.6.18 patch bug

Postby Lapo » 26 Feb 2018, 17:15

Hi,
you can start a new thread and provide all the details about the problem you're seeing.
Here's a list of what we need (it's for SFS2X but applies to PRO as well):
viewtopic.php?f=18&t=16497

Thanks
Lapo

--

gotoAndPlay()

...addicted to flash games
prapat50
Posts: 1
Joined: 10 Apr 2018, 10:25
Contact:

Re: SFS Pro 1.6.18 patch bug

Postby prapat50 » 10 Apr 2018, 10:35

SmartFoxServer Pro is constantly crashing
User avatar
Lapo
Site Admin
Posts: 23007
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SFS Pro 1.6.18 patch bug

Postby Lapo » 10 Apr 2018, 13:27

prapat50 wrote:SmartFoxServer Pro is constantly crashing

Please open a new thread and give us the details.
This will help you:
viewtopic.php?f=18&t=16497
Lapo

--

gotoAndPlay()

...addicted to flash games

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 40 guests