NBT overflow patch

Patch for the NBT overflow exploit which allowed any player to overflow
and drain the server for memory making it freeze and eventually crash.
This commit is contained in:
xGamingDudex 2015-09-26 01:48:38 +02:00
parent 633cbdabe2
commit 436f63860e
5 changed files with 140 additions and 0 deletions

View File

@ -48,6 +48,17 @@ public class PacketHandler extends MiniPlugin
EnumProtocol.PLAY.a().put(2, PacketPlayUseEntity.class); EnumProtocol.PLAY.a().put(2, PacketPlayUseEntity.class);
EnumProtocol.PLAY.a().put(PacketPlayUseEntity.class, 2); EnumProtocol.PLAY.a().put(PacketPlayUseEntity.class, 2);
// NBT Overflow Exploit Handlers
EnumProtocol.PLAY.a().put(8, PacketPlayInBlockPace.class);
EnumProtocol.PLAY.a().put(PacketPlayInBlockPace.class, 8);
EnumProtocol.PLAY.a().put(14, PacketPlayInWindowClick.class);
EnumProtocol.PLAY.a().put(PacketPlayInWindowClick.class, 14);
EnumProtocol.PLAY.a().put(16, PacketPlayInSetCreativeSlot.class);
EnumProtocol.PLAY.a().put(PacketPlayInSetCreativeSlot.class, 16);
// ----------------------------
Method method = ProtocolInjector.class.getDeclaredMethod("addPacket", EnumProtocol.class,boolean.class, int.class, Class.class); Method method = ProtocolInjector.class.getDeclaredMethod("addPacket", EnumProtocol.class,boolean.class, int.class, Class.class);
method.setAccessible(true); method.setAccessible(true);

View File

@ -0,0 +1,15 @@
package mineplex.core.packethandler;
import net.minecraft.server.v1_7_R4.PacketDataSerializer;
import net.minecraft.server.v1_7_R4.PacketPlayInBlockPlace;
public class PacketPlayInBlockPace extends PacketPlayInBlockPlace
{
@Override
public void a(PacketDataSerializer data)
{
super.a(WrappedPacketDataSerializer.wrapDataSerializer(data));
}
}

View File

@ -0,0 +1,15 @@
package mineplex.core.packethandler;
import net.minecraft.server.v1_7_R4.PacketDataSerializer;
public class PacketPlayInSetCreativeSlot extends net.minecraft.server.v1_7_R4.PacketPlayInSetCreativeSlot
{
@Override
public void a(PacketDataSerializer data)
{
super.a(WrappedPacketDataSerializer.wrapDataSerializer(data));
}
}

View File

@ -0,0 +1,14 @@
package mineplex.core.packethandler;
import net.minecraft.server.v1_7_R4.PacketDataSerializer;
public class PacketPlayInWindowClick extends net.minecraft.server.v1_7_R4.PacketPlayInWindowClick
{
@Override
public void a(PacketDataSerializer data)
{
super.a(WrappedPacketDataSerializer.wrapDataSerializer(data));
}
}

View File

@ -0,0 +1,85 @@
package mineplex.core.packethandler;
import java.io.DataInputStream;
import java.io.InputStream;
import java.lang.reflect.Field;
import org.bukkit.craftbukkit.v1_7_R4.inventory.CraftItemStack;
import org.spigotmc.LimitStream;
import net.minecraft.server.v1_7_R4.Item;
import net.minecraft.server.v1_7_R4.ItemStack;
import net.minecraft.server.v1_7_R4.NBTCompressedStreamTools;
import net.minecraft.server.v1_7_R4.NBTReadLimiter;
import net.minecraft.server.v1_7_R4.NBTTagCompound;
import net.minecraft.server.v1_7_R4.PacketDataSerializer;
import net.minecraft.util.io.netty.buffer.ByteBuf;
import net.minecraft.util.io.netty.buffer.ByteBufInputStream;
public class WrappedPacketDataSerializer extends PacketDataSerializer
{
public WrappedPacketDataSerializer(ByteBuf bytebuf)
{
super(bytebuf);
}
public WrappedPacketDataSerializer(ByteBuf bytebuf, int version)
{
super(bytebuf, version);
}
@Override
public ItemStack c()
{
try {
ItemStack itemstack = null;
short short0 = readShort();
if (short0 >= 0)
{
byte b0 = readByte();
short short1 = readShort();
itemstack = new ItemStack(Item.getById(short0), b0, short1);
itemstack.setTag(b());
if (itemstack.getTag() != null) {
CraftItemStack.setItemMeta(itemstack, CraftItemStack.getItemMeta(itemstack));
}
}
return itemstack;
} catch (Exception e) {
this.clear();
return null;
}
}
@Override
public NBTTagCompound b()
{
int i = readerIndex();
byte b0 = readByte();
if (b0 == 0) {
return null;
}
readerIndex(i);
ByteBufInputStream data = new ByteBufInputStream(this);
NBTReadLimiter nbtreadlimiter = new NBTReadLimiter(2097152L);
return NBTCompressedStreamTools.a(new DataInputStream(new LimitStream((InputStream)data, nbtreadlimiter)), nbtreadlimiter);
}
public static WrappedPacketDataSerializer wrapDataSerializer(PacketDataSerializer data) {
try
{
Field a = data.getClass().getDeclaredField("a");
a.setAccessible(true);
ByteBuf buff = (ByteBuf) a.get(data);
WrappedPacketDataSerializer w = new WrappedPacketDataSerializer(buff, data.version);
return w;
}
catch (Exception e)
{
e.printStackTrace();
return null;
}
}
}