-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURE_NPCTIMEOUT behavior review. #3391
Comments
please add your hash this maybe related https://rathena.org/board/topic/116508-how-to-privent-this-hacker/ however i can't Reproduce both |
@sader1992 This affects until head revision. My example, you can go to the Mercenary Manager > Select HIRE > Wait on this screen til the close button appears (60sec ~): This is not a bug on the mercenary NPC, but with the timeout of the menu. it should end the script, and not reset it. Att |
@sader1992 yes, and the way this specific script do the checking, you can get the item for "free". The fix should not be on the script, this is a problematic behavior in the select()/Menu timeout that could lead to a LOT of exploits/problems. i am disabling SECURE_NPCTIMEOUT for now on my server. |
* Fixes #3391. * Properly end NPC sessions when a player times out. Thanks to @gustavobrigo!
@aleos89 just a follow up, i've disabled SECURE_NPCTIMEOUT on my server, it hurts a bit the performance, i got 10% lower load average on map-server after disabling it, i know it is a protection to poor written npc scripts, but, i don't know if the performance trade off worth it. |
@gustavobrigo do you mean after you install the PR above ? (i don't see anything wrong with it xD) if not , test the pr the problem has been fixed with it |
@sader1992 no no, i know the fix is working. Instead i've chosen to disable SECURE_NPCTIMEOUT entirely. And i saw a bit of performance improvement after it. |
That's because when a player is talking to a NPC, there's a timer that's attached to the player for that NPC to check timeouts. And this feature is not to check for poorly written NPC. It's an official feature that clears NPC from players that just idle out. I would assume your load difference has to do with a custom script you're using at login that's continuously attached to logged in players. |
@aleos89 yes it could be, we have a OnPCLoginEvent script and 2k players rs. But this official behavior could be configurable at battle config in that case, its just a suggestion because in that case i don't see any harm on disabling it to increase performance. =D |
helo @gustavobrigo after 4befcf7 can you test this bug again? can player got free mercenary again? |
@mazvi im unable to test, i opted to disable the entire timeout on my server. |
@mazvi i did test it , and the bug have been fixed with this |
* Fixes rathena#3381 and fixes rathena#3391. * Properly end NPC sessions when a player times out. Thanks to @mazvi, @Anacondaqq, and @gustavobrigo!
Today we discovered some players abusing on Mercenarys Rental system, it basically waits for the timeout of SECURE_NPCTIMEOUT on the scroll selection menu. When it hits close, it returns to the menu and due how the script do the check, it can get the last item of the meny (mercenary lv10) withou any cost or check:
This is just an example of exploit created by the timeout, in this case, we can hire a 99 mercenary without any zeny or afinity check because it bypass all the checks in this case.
This is not a problem with the mercenary scritpt itself, but because when SECURE_NPCTIMEOUT hits the menu timeout it keeps executing with a select() return value of 0 (which should never happen).
The text was updated successfully, but these errors were encountered: