Page MenuHomeFeedback Tracker

Servers serving two instances of ServerBrowserProtocol packets inside one A2S_RULES packet
Assigned, NormalPublic

Description

While writing a server browser I noticed that some servers I noticed that a few servers were serving and invalid set of rules, using the ServerBrowserProtocol ( https://community.bistudio.com/wiki/Arma_3_ServerBrowserProtocol3 ).

After looking closer, I noticed the following:

Format specification:

Basically the rules data is generated according to the ServerBrowserProtocol.
Then, it is escaped and then split into key/val pairs:

1/3, 2/3, 3/3

that each have 127 bytes max.

What's happening:

Now if the string that has been generated is a multiple of 127 bytes (that's the only common thing I've noticed - i may be wrong, though) something strange happens: the resulting key/val pairs set is going to be expanded with another key/val set that is larger by one key, meaning that the keys you're going to get will be:

1/3, 2/3, 3/3, 1/4, 2/4, 3/4, 4/4

The x/3 packets (the "3" is an example here, of course) will contain the original set of data with the correct values.
The x/4 packets will form the same data as the x/3 packets BUT with (at least!) the overflow flags and the difficulty byte set to 0. The one or two "0x00" new bytes in the new buffer will then be escaped to "0x01 0x02" changing the length of the buffer to something else than a multiple of 127, explaining why a 3-packet set became a 4-packet.

For some reason, they are then both put into one A2S_RULES packet and sent to the people who query that server.

Details

Severity
Minor
Resolution
Open
Reproducibility
N/A
Operating System
Windows 10 x64
Category
Server Browser Steam
Steps To Reproduce

Unknown. Probably have rules data that is a multiple of 127 bytes after escaping and before splitting into chunks.

Additional Information

Example of such a server:
Full (as2_rules) packet:
b'\xff\xff\xff\xffE\x03\x00\x01\x01\x00\x03\x04\x01\x03\x0b\x89\x01\x01\xed\xf4!\xb4I\xca\x02\xd1c\x16\xe5\xbe\x88\xee\xde\xa8\x7f\x122P%\x06R zm\xb7\x12\xf3\xa5\xfd*\xae\xc5t\xcfW\xef\x97\x01\x03\xea\x1c\xbbq\x02\x05\x01\x03\xd4\x7f\x04\xb9\xee\x9b&\x11Extended Base Mod\xfeV<\xba\x04\xd07\xa9X\tExile Mod\x03\x02a3\x05exile\x0fExtendedBase3.5\x00\x01\x02\x00\x03\x01\x02\x01\x03\x0b\x01\x02\x01\x02\xed\xf4!\xb4I\xca\x02\xd1c\x16\xe5\xbe\x88\xee\xde\xa8\x7f\x122P%\x06R zm\xb7\x12\xf3\xa5\xfd*\xae\xc5t\xcfW\xef\x97\x01\x03\xea\x1c\xbbq\x02\x05\x01\x03\xd4\x7f\x04\xb9\xee\x9b&\x11Extended Base Mod\xfeV<\xba\x04\xd07\xa9X\tExile Mod\x03\x02a3\x05exile\x0fExtendedBase3\x00\x02\x02\x00.5\x00'

Packet split into a key/val list:

[
    Entry(b'\x01\x01', b'\x03\x04\x01\x03\x0b\x89\x01\x01'
                       b'\xed\xf4!\xb4I\xca\x02\xd1c\x16\xe5\xbe\x88\xee\xde\xa8\x7f\x122P%\x06R zm\xb7\x12\xf3\xa5'
                       b'\xfd*\xae\xc5t\xcfW\xef\x97\x01\x03\xea\x1c\xbbq\x02\x05\x01\x03\xd4\x7f\x04\xb9\xee\x9b&'
                       b'\x11Extended Base Mod\xfeV<\xba\x04\xd07\xa9X\tExile Mod\x03\x02a3\x05exile\x0f'
                       b'ExtendedBase3.5'),
    Entry(b'\x01\x02', b'\x03\x01\x02\x01\x03\x0b\x01\x02\x01\x02'
                       b'\xed\xf4!\xb4I\xca\x02\xd1c\x16\xe5\xbe\x88\xee\xde\xa8\x7f\x122P%\x06R zm\xb7\x12\xf3\xa5'
                       b'\xfd*\xae\xc5t\xcfW\xef\x97\x01\x03\xea\x1c\xbbq\x02\x05\x01\x03\xd4\x7f\x04\xb9\xee\x9b&'
                       b'\x11Extended Base Mod\xfeV<\xba\x04\xd07\xa9X\tExile Mod\x03\x02a3\x05exile\x0f'
                       b'ExtendedBase3'),
    Entry(b'\x02\x02', b'.5'),
]

In this example, the correct value that should be sent through the network is only the 1/1 key (first one).

If needed, I can hunt for and provide you with other servers inhibiting such behavior along with full packets.

cc: @dedmen

Another server, with more data:

[
    Entry(b'\x01\x04', b'\x03\x04\x01\x03\x0b\x89\x01\x01'
                       b'\xed\xf4!\xb4I\xca\x02\xd1c\x16\xe5\xbe\x88\xee\xde\xa8\x7f\x122P%\x06R zm\xb7\x12\xf3\xa5'
                       b'\xfd*\xae\xc5t\xcfW\xef\x97\x01\x03\xea\x1c\xbbq\x0b\xc1\xabS\x8d\x04\x1d\xf7G2\x19'
                       b'RHS: United States Forcesyv\x19\xc1\x04g\xceH2\x19RHS: Serbian Armed Forces\x9dY}'),
    Entry(b'\x01\x05', b'\x03\x01\x02\x01\x03\x0b\x12\x01\x02'
                       b'\xed\xf4!\xb4I\xca\x02\xd1c\x16\xe5\xbe\x88\xee\xde\xa8\x7f\x122P%\x06R zm\xb7\x12\xf3\xa5'
                       b'\xfd*\xae\xc5t\xcfW\xef\x97\x01\x03\xea\x1c\xbbq\x0b\xc1\xabS\x8d\x04\x1d\xf7G2\x19'
                       b'RHS: United States Forcesyv\x19\xc1\x04g\xceH2\x19RHS: Serbian Armed Forces\x9dY'),
    Entry(b'\x02\x04', b'\xdc\x04\xaf6H2\tRHS: GREF\xeck4\xe0\x04O\xa5E2+'
                       b'RHS: Armed Forces of the Russian Federation\xc8\xdd\x7f\xa4\x04\xc5\xe9\xdd\x13\x11'
                       b'Enhanced Movement73V\xd8\x04\x15\xe4\xde\x1a\x1dCommunity Base Addons'),
    Entry(b'\x02\x05', b'}\xdc\x04\xaf6H2\tRHS: GREF\xeck4\xe0\x04O\xa5E2+'
                       b'RHS: Armed Forces of the Russian Federation\xc8\xdd\x7f\xa4\x04\xc5\xe9\xdd\x13\x11'
                       b'Enhanced Movement73V\xd8\x04\x15\xe4\xde\x1a\x1dCommunity Base Addon'),
    Entry(b'\x03\x04', b' v3.14.0\x01\x01D\xf1\xbe\x04\xa8\xf4\x14.+@ACE_Compat__RHS_United_States_Armed_Forces'
                       b'\xf6%\xbc\x0b\x047\x85\xbf4\x15@ACE_Compat__RHS_GREF\x93\x8f\xa5\xbc\x04\xc0\x0b\x15.7@'
                       b'ACE_Compat__RHS_Armed_F'),
    Entry(b'\x03\x05', b's v3.14.0\x01\x01D\xf1\xbe\x04\xa8\xf4\x14.+@ACE_Compat__RHS_United_States_Armed_Forces'
                       b'\xf6%\xbc\x0b\x047\x85\xbf4\x15@ACE_Compat__RHS_GREF\x93\x8f\xa5\xbc\x04\xc0\x0b\x15.7@'
                       b'ACE_Compat__RHS_Armed_'),
    Entry(b'\x04\x04', b'orces_of_the_Russian_FederationLW\xe8\x12\x04x\x0c7*('
                       b'Advanced Combat Environment Extras 3.5.1\xbd\x82\x89\xd0\x04\xf1%\xa7\x1b"'
                       b'Advanced Combat Environment 3.13.1\x01\x02'),
    Entry(b'\x04\x05', b'Forces_of_the_Russian_FederationLW\xe8\x12\x04x\x0c7*('
                       b'Advanced Combat Environment Extras 3.5.1\xbd\x82\x89\xd0\x04\xf1%\xa7\x1b"'
                       b'Advanced Combat Environment 3.13.1\x01'),
    Entry(b'\x05\x05', b'\x02'),
]

Event Timeline

overflo created this task.Tue, Mar 17, 6:34 PM
overflo edited Additional Information. (Show Details)
overflo edited Additional Information. (Show Details)Tue, Mar 17, 6:42 PM
dedmen claimed this task.Tue, Mar 24, 3:29 PM
dedmen changed the task status from New to Assigned.