Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS01amZ3LTM1eHAtNW00Ms04jQ

Buffer length underflow in LoginPacket causing unchecked exceptions to be thrown

Impact

LoginPacket uses BinaryStream->getLInt() to read the lengths of JSON payloads it wants to decode. Unfortunately, BinaryStream->getLInt() returns a signed integer, meaning that a malicious client can craft a packet with a large uint32 value for payload buffer size (which would be interpreted as a negative signed int32), causing BinaryStream->get() to throw an exception.

In the context of PocketMine-MP, this leads to a server crash when the vulnerability is exploited.

Patches

e3fce7632b94e83fd6a518a87dcaf6a11681c4ac

Workarounds

This can be worked around by registering a custom LoginPacket implementation into PacketPool which overrides this code to patch it.

For more information

• Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-5jfw-35xp-5m42
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01amZ3LTM1eHAtNW00Ms04jQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-5jfw-35xp-5m42
References:

• https://github.com/pmmp/BedrockProtocol/security/advisories/GHSA-5jfw-35xp-5m42
• https://github.com/pmmp/BedrockProtocol/commit/e3fce7632b94e83fd6a518a87dcaf6a11681c4ac
• https://github.com/advisories/GHSA-5jfw-35xp-5m42

Repository: https://github.com/pmmp/BedrockProtocol
Blast Radius: 15.3

Affected Packages