the Java Edition has a number of server-side packet decoders/constructors that specify a maximum received length that a client can send before it'll reject that packet from the client.
for example, in 1.19.3's net.minecraft.network.protocol.login.ServerboundHelloPacket (unsure what mappings are used below):
public ServerboundHelloPacket(FriendlyByteBuf pBuffer) {
this(pBuffer.readUtf(16), pBuffer.readOptional(FriendlyByteBuf::readUUID));
}
the name string is limited to 16 characters to prevent a malicious user, on multiple, new client connections, sending a fake handshake packet that claims to contain a "hostname" string of length 32767 (might only need to be a thousand for an effective attack so long as the string's prefixed length is 32767) and having the server reserve number_of_spoofed_clients * 32767 of memory semi-simultaneously in an effort to read the strings, crashing the server process. in theory, even one such spoof could crash a server with limited dedicated memory.
this maximum length information is not preserved in the JSONified version of the protocol present in:
|
"packet_login_start": [ |
|
"container", |
|
[ |
|
{ |
|
"name": "username", |
|
"type": "string" |
|
}, |
|
{ |
|
"name": "playerUUID", |
|
"type": [ |
|
"option", |
|
"UUID" |
|
] |
|
} |
|
] |
|
], |
i can only assume the reason that this was left out of minecraft-data was the underlying technical issue of generally specifying a maximum accepted value for "countable" types (e.g. varint) not being supported in ProtoDef. i've made a feature request and PR for the underlying ProtoDef library: ProtoDef-io/ProtoDef#60.
i can make a proof of concept for one Minecraft version to determine the level of work required to update the protocol documentation for each version. is it anticipated that there will be any interest in resolving this issue?
the Java Edition has a number of server-side packet decoders/constructors that specify a maximum received length that a client can send before it'll reject that packet from the client.
for example, in 1.19.3's
net.minecraft.network.protocol.login.ServerboundHelloPacket(unsure what mappings are used below):the
namestring is limited to 16 characters to prevent a malicious user, on multiple, new client connections, sending a fake handshake packet that claims to contain a "hostname" string of length 32767 (might only need to be a thousand for an effective attack so long as the string's prefixed length is 32767) and having the server reservenumber_of_spoofed_clients * 32767of memory semi-simultaneously in an effort to read the strings, crashing the server process. in theory, even one such spoof could crash a server with limited dedicated memory.this maximum length information is not preserved in the JSONified version of the protocol present in:
minecraft-data/data/pc/1.19.3/protocol.json
Lines 1538 to 1553 in 5afbbdd
i can only assume the reason that this was left out of
minecraft-datawas the underlying technical issue of generally specifying a maximum accepted value for "countable" types (e.g.varint) not being supported in ProtoDef. i've made a feature request and PR for the underlying ProtoDef library: ProtoDef-io/ProtoDef#60.i can make a proof of concept for one Minecraft version to determine the level of work required to update the protocol documentation for each version. is it anticipated that there will be any interest in resolving this issue?