The RCON crash

Kigen · **Author**

This is a particularly low level debugging of what causes the RCON crash. This debug was done on Counter-Strike: Source on a Windows 2003 Server box.

It appears on line 0x201F7DA4 in engine.dll that the crash occurs because DS:[ESI] points to a non-existent place.

This is the ASM code for 0x201F7DA4:

Code:

201F7DA4   F3:A5            REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>

The crash seems to occur because SRCDS is kicking the player who just triggered the RCON protection out of the server when it IP bans someone. But because the RCON connection (which is now getting spammed with bad attempts) is associated to the client it tries to retrieve information from the client entity even though it is no longer there (educated guess) since the client has been removed from the server one way or another. Currently, it seems the only viable way to prevent this crash is to prevent the engine from removing the client while the attack is happening.

I feel that this may be some sort of string related function but I'm unsure as I'm not that experienced with ASM to make a accurate assessment.

My guess is that it is the oh so nice message letting you know someone is attempting bad passwords on the RCON.

I'm currently attempting ways to ban the client and keep the server alive but so far I've kind of hit a dead end as the server always seems to crash once you remove the client regardless of how it was done.

Kigen · 09-25-2009 , 21:30 Re: The RCON crash

Well, small status update. It appears to be caused by the actual RCON built-in banning features themselves. I completely disabled "addip" and the server still crashed. Again though, the client had to be in the server.

Kigen · 09-26-2009 , 04:00 Re: The RCON crash

There are more conditions than what I've posted here. Just to note.

Kigen · 09-26-2009 , 05:50 Re: The RCON crash

I've figured out the major reason why some servers are crash-able while others are not. Pretty interesting stuff. I will not share this information on the public forums though as it is pretty blatant which servers are crash-able and which are not with this information.

devicenull · 09-26-2009 , 12:12 Re: The RCON crash

What about just silently dropping packets from the client once they should be banned? I'm assuming srcds will eventually timeout the rcon connection (without crashing)

Kigen · 09-26-2009 , 12:37 Re: The RCON crash

Meh. SRCDS doesn't like to be silent.

Kigen · 09-26-2009 , 13:27 Re: The RCON crash

I've been too tired lately and didn't really get what you were saying devicenull till now. Ya, I would agree with that though we'd have to make a extension/MM:S plugin to do that. I've been pushing the OnRCON() feature request but just need someone who can do it.

FoxMulder · 09-26-2009 , 22:55 Re: The RCON crash

Interesting read. Rooting for a ya.