search

pmmp / BedrockProtocol

An implementation of the Minecraft: Bedrock Edition protocol in PHP
GNU Lesser General Public License v3.0
135 stars 91 forks source link

Fixed server freezing vulnerabiity in multiple packets #245

Open Gewinum opened 2 months ago

Gewinum commented 2 months ago

There is even plugin called AntiBadPackets about it, but I think some of these vulns are better to be handled here

dries-c commented 2 months ago

The issue is that these are arbitrary values. Ideally, Mojang themselves would put maximum values on these.

Gewinum commented 2 months ago

The issue is that these are arbitrary values. Ideally, Mojang themselves would put maximum values on these.

what do you suggest then? i'm often seeing servers affected by attack

Gewinum commented 2 months ago

The issue is that these are arbitrary values. Ideally, Mojang themselves would put maximum values on these.

what if we just increase all of them to 500 or 1000?

ShockedPlot7560 commented 2 months ago

In the absence of a maximum value defined by mojang, we can't set a maximum value ourselves.

Gewinum commented 2 months ago

In the absence of a maximum value defined by mojang, we can't set a maximum value ourselves.

maybe you can attempt to discuss that with them? i'm basically freezing server simply by sending million entries in textpacket

SOF3 commented 2 months ago

In the future, please send vulnerability patches to us privately via team@pmmp.io instead of a public pull request.

dktapps commented 1 month ago

maybe you can attempt to discuss that with them?

imagine thinking that'd work

Gewinum commented 1 month ago

maybe you can attempt to discuss that with them?

imagine thinking that'd work

whole purpose of mojang is to "improve security" and that would be really bad of them to refuse to fix vulnerability that affects BDS

dktapps commented 1 month ago

maybe you can attempt to discuss that with them?

imagine thinking that'd work

whole purpose of mojang is to "improve security" and that would be really bad of them to refuse to fix vulnerability that affects BDS

they've known about it for years already

Zwuiix-cmd commented 3 weeks ago

My suggestion is to set the value high enough so that there can be no problems, but low enough to avoid this kind of attack, and I would like to point out that you have forgotten a huge number of packets @Gewinum

Gewinum commented 3 weeks ago

My suggestion is to set the value high enough so that there can be no problems, but low enough to avoid this kind of attack, and I would like to point out that you have forgotten a huge number of packets @Gewinum

no point in going on with the PR, they say mojang has no limit so pm wont have too. the best choice is to limit via proxy. as for other packets, i wanted to check if i could fix annoying textpacket vulnerability first, cause its the most op