Impact
An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket
.
This happened due to a bug in netresearch/jsonmapper
. The library wasn't doing proper checks when mapping JSON arrays and objects onto scalar model properties such as strings.
Patches
The problem was fixed in a fork of JsonMapper in pmmp/netresearch-jsonmapper@a31902a. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.
Workarounds
- Users of PocketMine-MP source installations may manually install the patched version of JsonMapper by backporting commit 09668a3.
- A plugin may also be able to workaround this issue by using
DataPacketReceiveEvent
to attempt detection of suspicious payloads. An ErrorException
will be thrown in the crash case, which can be caught by plugins.
References
cweiske/jsonmapper#210
Impact
An attacker could crash PocketMine-MP by sending malformed JSON in
LoginPacket
.This happened due to a bug in
netresearch/jsonmapper
. The library wasn't doing proper checks when mapping JSON arrays and objects onto scalar model properties such as strings.Patches
The problem was fixed in a fork of JsonMapper in pmmp/netresearch-jsonmapper@a31902a. PocketMine-MP releases 4.20.5 and 4.21.1 have been released with the fix.
Workarounds
DataPacketReceiveEvent
to attempt detection of suspicious payloads. AnErrorException
will be thrown in the crash case, which can be caught by plugins.References
cweiske/jsonmapper#210