Sending packets to deallocated cClientHandle

FakeTruth · 03-17-2012, 09:00 PM

Server can send packets to a cClientHandle that no longer exists, a dangling pointer.

It happens in cChunk::Broadcast, but it crashes somewhere deeper in the stack.

[Image: Screenshot-2012-03-17_11.57.53.png]

[Image: Screenshot-2012-03-17_11.57.53.png]

Something to note is that the server was updating .pak files from version 2 to 3. A client disconnected somewhere in the middle of conversion (thought it has a different address than the dangling pointer), and the server crashes after conversion was done.

Simply put, cChunk had a dangling pointer in m_LoadedByClient

xoft · 03-17-2012, 10:50 PM

You could have captured a crashdump for later analysis. Without it there's not much I can do.

xoft · 03-18-2012, 12:36 AM

And how did the client disconnect? If it was already downloading terrain, then it shouldn't disconnect (we answer to keepalives) and the client has no GUI for disconnecting at that state, other than closing the client altogether.

FakeTruth · 03-18-2012, 11:34 PM

(03-18-2012, 12:36 AM)xoft Wrote: And how did the client disconnect? If it was already downloading terrain, then it shouldn't disconnect (we answer to keepalives) and the client has no GUI for disconnecting at that state, other than closing the client altogether.

When the player is already in the game, and moves to somewhere that hasn't been converted yet, the player can simply press escape and disconnect

xoft · 03-19-2012, 03:48 AM

Right, somehow I thought you were referring to the initial connection phase.

Well, anyway, I'm afraid you're on your own on this one, as I haven't seen such a failure happen yet.

FakeTruth · (This post was last modified: 03-19-2012, 05:26 AM by FakeTruth.)

I tried to track down why this happened, but I can't find a reason Sad