Cuberite ForumCuberiteDiscussion
Security issue in Java based server

Threaded Mode
Security issue in Java based server
tigerw Offline
Cuberite Developer
******
Posts: 952
Threads: 16
Joined: May 2013
Thanks: 21
Given 16 thank(s) in 89 post(s)
#11
04-19-2015, 01:59 AM
(04-18-2015, 11:11 PM)Jammet Wrote: Sadly, I know nothing John Snow, er I mean, of how to work it. Hope you all on the team find it's not too much hassle.

References.
Find
Reply
Thanks given by:
xoft Offline
Cuberite Developer
******
Posts: 6,486
Threads: 176
Joined: Jan 2012
Thanks: 40
Given 157 thank(s) in 838 post(s)
#12
04-19-2015, 02:33 AM
Recursion depth alone won't prevent this attack - it has a maximum depth of 6, which is a perfectly reasonable NBT depth. And again, what maximum size to choose for the uncompressed packets?
Find
Reply
Thanks given by:
worktycho Offline
Cuberite Developer
******
Posts: 783
Threads: 12
Joined: Jan 2014
Thanks: 0
Given 4 thank(s) in 61 post(s)
#13
04-19-2015, 03:04 AM
Well since we limit packet size to 32 KiB I suggest 512 KiB as a limit. Most non-pathological structured data has a less than 10:1 compression ratio so having a limit of 16 times compressed size seems reasonable. Limiting this in the NBT parser could be as simple as limiting the size of cFastNBT::m_Tags to a sensible value. Can I suggest 1,000?

Recursion depth for NBT was more of a general issue as if you can jump the guard page it allows the attacker to write arbitrary data to memory.
Find
Reply
Thanks given by:




Users browsing this thread: 1 Guest(s)