Did anybody investigate, if the issue caused by engine doesn't share the same baseline table pointers for all players or it is due to initial overflow in other table types which may share same buffer space?
Also, what is the purpose of baseline table and is it can be safely deleted at server side as soon as required info synced with the client?
Did anybody investigate, if the issue caused by engine doesn't share the same baseline table pointers for all players or it is due to initial overflow in other table types which may share same buffer space?
Also, what is the purpose of baseline table and is it can be safely deleted at server side as soon as required info synced with the client?
Still doesn't remove the big elephant in the room.
Allowing such overflow brings up a path for an RCE exploit on both the server and its clients. I, as a server owner, definitely wouldn't want malicious users taking over my server and executing dangerous commands on the currently playing clients remotely due to such "patch".
Valve won't help you with this even if it's an RCE exploit since they made that function work that way and precautions were already accounted for. By removing one of those precautions, the fault falls onto the server owners.
Additional info:
When that patch plug-in is unloaded while the game/server is still running, it turns the function from this:
Making the maps with string table dictionaries included in them unjoinable instead but as I said before, this doesn't matter since there's an even bigger issue than that.
ok, I sent pull request to fix at least unloading part.
Not sure about RCE ability, it depends on which information used for generating that table, server map or some client data. But, still not looks good. Agree.