Impact
An attacker could crash PocketMine-MP by sending malformed JSON in LoginPacket.
This happened because of unexpected validation behaviour in netresearch/jsonmapper. The library allows NULL in arrays whose types don't expect NULL, even when bStrictNullTypes is set.
Code processing arrays in the JSON data could then crash due to unexpected NULL elements.
Patches
This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8d
An upstream patch for this issue was proposed via cweiske/jsonmapper#211; however, as of 2024-05-15, the issue has not yet been fixed upstream due to debate about how to deal with the problem. For now, a fork of JsonMapper is used by PocketMine-MP to workaround the issue.
Workarounds
A plugin may handle DataPacketReceiveEvent for LoginPacket and check that none of the input arrays contain NULL where it's not expected, but this is rather cumbersome.
References
Proposed upstream fix for the problem: cweiske/jsonmapper#211
Impact
An attacker could crash PocketMine-MP by sending malformed JSON in
LoginPacket.This happened because of unexpected validation behaviour in
netresearch/jsonmapper. The library allowsNULLin arrays whose types don't expectNULL, even whenbStrictNullTypesis set.Code processing arrays in the JSON data could then crash due to unexpected
NULLelements.Patches
This problem was fixed in 5.3.1 and 4.23.1 by updating JsonMapper to include the following commit: pmmp/netresearch-jsonmapper@4f90e8d
An upstream patch for this issue was proposed via cweiske/jsonmapper#211; however, as of 2024-05-15, the issue has not yet been fixed upstream due to debate about how to deal with the problem. For now, a fork of JsonMapper is used by PocketMine-MP to workaround the issue.
Workarounds
A plugin may handle
DataPacketReceiveEventforLoginPacketand check that none of the input arrays containNULLwhere it's not expected, but this is rather cumbersome.References
Proposed upstream fix for the problem: cweiske/jsonmapper#211