Vehicle damage sync is incomplete

[Nico8340]

Describe the bug

Vehicle damage synchronization is incomplete. The onVehicleDamage event should include all the parameters that onClientVehicleDamage provides, but this is not the primary issue. The main concern is that several validations are missing due to this incompleteness, allowing a player to damage or destroy a vehicle by sending packets. Related to #3943.

Steps to reproduce

1. Launch a debug build of MTA.
2. Start a local server and connect to it.
3. Ensure that the default resources are installed and running.
4. In the console, type giveweapon 31 and press Enter (this simulates a cheater obtaining a weapon).
5. In the console, type cv admiral and press Enter.
6. Start shooting at the spawned admiral (this simulates sending packets via a cheat).
7. See the results.

Version

No response

Additional context

Client: v1.6.0-release-22934 (Windows 11, 64-bit)
Server: v1.6.0-release-22934 (Windows 11, 64-bit)

Relevant log output

Security Policy

• I have read and understood the Security Policy and this issue is not security related.

[TheNormalnij]

It's disabled for purpose. onClientVehicleDamage causes massive event spam on the client side. Try to collide with a wall in a vehicle, and you will get an event every frame.

[Nico8340]

It's disabled for purpose. onClientVehicleDamage causes massive event spam on the client side. Try to collide with a wall in a vehicle, and you will get an event every frame.

Regardless, these packets should definitely be validated, because this way a player with malicious intents can damage all vehicles on a server, which may not seem like a big deal in some game modes, but in a roleplay game mode it can ruin the entire experience, in fact we are talking about a fundamental bug

[imfelipedev]

It's disabled for purpose. onClientVehicleDamage causes massive event spam on the client side. Try to collide with a wall in a vehicle, and you will get an event every frame.

Regardless, these packets should definitely be validated, because this way a player with malicious intents can damage all vehicles on a server, which may not seem like a big deal in some game modes, but in a roleplay game mode it can ruin the entire experience, in fact we are talking about a fundamental bug

Fixing this bug would significantly improve RP/RPG servers. Unfortunately, there are still other security issues related to vehicles. A malicious client can, for example, instantly repair a vehicle or launch another vehicle — and even players — far away, completely ruining the experience for others.

[ghost]

It's disabled for purpose. onClientVehicleDamage causes massive event spam on the client side. Try to collide with a wall in a vehicle, and you will get an event every frame.

Currently the two event onClientVehicleDamage and onVehicleDamage works exactly the same, except the latter doesn't provide all params which needed. But both event would be triggered/spammed on both sides. They both trigger for any type of damage, for e.g colliding with walls.

I was thinking that the two event are look-alike so they should share the same params as well, so we wouldn't have to rely on client code.

Maybe another solution could be to divide vehicle damages into more events, so not one event will be spam-triggered for everything. Like creating two new events: onClientPedDamagesVehicle and onPedDamagesVehicle so these two would trigger for any type of damage to vehicles coming from only peds/players.

The onClientVehicleDamage and onVehicleDamage would trigger for everything else, except ped/player damage.

Only downside is that there could be problems with projectiles, explosions, player created fires - these might not trigger the pedDamagesVehicle event.

[TheNormalnij]

Currently the two event onClientVehicleDamage and onVehicleDamage works exactly the same, except the latter doesn't provide all params which needed. But both event would be triggered/spammed on both sides. They both trigger for any type of damage, for e.g colliding with walls.

No. The game triggers "onClientVehicleDamage" for every damage source, and the server triggers "onVehicleDamage" after health changes in vehicle sync packages. Cheaters don't send any "damage" packets. There are no "ondamage" packets for vehicles at all. Only a victim syncs vehicle health.

If the game sends "onClientVehicleDamage" to the server for every damage, it might cause network troubles and disconnects to victims. It gives cheaters a more advanced tool to cheat.

If you need information about damage sources, you need to aggregate it on the client, filter it, and send it to the server.