Merge branch 'stable' into major-next

Author: dktapps

.github/dependabot.yml

@@ -3,10 +3,13 @@ updates:
 - package-ecosystem: composer
   directory: "/"
   schedule:
-    interval: daily
+    interval: monthly
     time: "10:00"
   open-pull-requests-limit: 10
 - package-ecosystem: github-actions
   directory: "/"
   schedule:
     interval: monthly
+  groups:
+    github-actions:
+      patterns: ["*"]

.github/workflows/main.yml

@@ -10,20 +10,20 @@ jobs:
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
     strategy:
       matrix:
-        php: ["8.1", "8.2", "8.3"]
+        php: ["8.1", "8.2", "8.3", "8.4", "8.5"]
     name: PHP ${{ matrix.php }}
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@2.24.0
+        uses: shivammathur/setup-php@2.32.0
         with:
           php-version: ${{ matrix.php }}
 
       - name: Cache Composer packages
         id: composer-cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: "~/.cache/composer"
           key: "php-${{ matrix.php }}-composer-${{ hashFiles('**/composer.json') }}"

composer.json

@@ -12,8 +12,8 @@
 		"pocketmine/binaryutils": "^0.2.0"
 	},
 	"require-dev": {
-		"phpstan/phpstan": "1.10.1",
-		"phpstan/phpstan-strict-rules": "^1.0"
+		"phpstan/phpstan": "2.1.33",
+		"phpstan/phpstan-strict-rules": "^2.0"
 	},
 	"autoload": {
 		"psr-4": {

phpstan.neon.dist

@@ -1,5 +1,4 @@
 includes:
-	- tests/phpstan/configs/encapsulated-packet-sucks.neon
 	- tests/phpstan/configs/phpstan-bugs.neon
 	- vendor/phpstan/phpstan-strict-rules/rules.neon
 

src/generic/ReceiveReliabilityLayer.php

@@ -176,6 +176,7 @@ private function handleEncapsulatedPacket(EncapsulatedPacket $packet) : void{
 		}
 
 		if($packet->reliability->isSequenced()){
+			assert($packet->orderChannel !== null && $packet->sequenceIndex !== null, 'These should have been set during decode');
 			if($packet->sequenceIndex < $this->receiveSequencedHighestIndex[$packet->orderChannel] or $packet->orderIndex < $this->receiveOrderedIndex[$packet->orderChannel]){
 				//too old sequenced packet, discard it
 				return;
@@ -184,28 +185,30 @@ private function handleEncapsulatedPacket(EncapsulatedPacket $packet) : void{
 			$this->receiveSequencedHighestIndex[$packet->orderChannel] = $packet->sequenceIndex + 1;
 			$this->handleEncapsulatedPacketRoute($packet);
 		}elseif($packet->reliability->isOrdered()){
-			if($packet->orderIndex === $this->receiveOrderedIndex[$packet->orderChannel]){
+			$orderChannel = $packet->orderChannel;
+			assert($orderChannel !== null, 'This should have been set during decode');
+			if($packet->orderIndex === $this->receiveOrderedIndex[$orderChannel]){
 				//this is the packet we expected to get next
 				//Any ordered packet resets the sequence index to zero, so that sequenced packets older than this ordered
 				//one get discarded. Sequenced packets also include (but don't increment) the order index, so a sequenced
 				//packet with an order index less than this will get discarded
-				$this->receiveSequencedHighestIndex[$packet->orderChannel] = 0;
-				$this->receiveOrderedIndex[$packet->orderChannel] = $packet->orderIndex + 1;
+				$this->receiveSequencedHighestIndex[$orderChannel] = 0;
+				$this->receiveOrderedIndex[$orderChannel] = $packet->orderIndex + 1;
 
 				$this->handleEncapsulatedPacketRoute($packet);
-				$i = $this->receiveOrderedIndex[$packet->orderChannel];
-				for(; isset($this->receiveOrderedPackets[$packet->orderChannel][$i]); ++$i){
-					$this->handleEncapsulatedPacketRoute($this->receiveOrderedPackets[$packet->orderChannel][$i]);
-					unset($this->receiveOrderedPackets[$packet->orderChannel][$i]);
+				$i = $this->receiveOrderedIndex[$orderChannel];
+				for(; isset($this->receiveOrderedPackets[$orderChannel][$i]); ++$i){
+					$this->handleEncapsulatedPacketRoute($this->receiveOrderedPackets[$orderChannel][$i]);
+					unset($this->receiveOrderedPackets[$orderChannel][$i]);
 				}
 
-				$this->receiveOrderedIndex[$packet->orderChannel] = $i;
-			}elseif($packet->orderIndex > $this->receiveOrderedIndex[$packet->orderChannel]){
-				if(count($this->receiveOrderedPackets[$packet->orderChannel]) >= self::$WINDOW_SIZE){
+				$this->receiveOrderedIndex[$orderChannel] = $i;
+			}elseif($packet->orderIndex > $this->receiveOrderedIndex[$orderChannel]){
+				if(count($this->receiveOrderedPackets[$orderChannel]) >= self::$WINDOW_SIZE){
 					//queue overflow for this channel - we should probably disconnect the peer at this point
 					return;
 				}
-				$this->receiveOrderedPackets[$packet->orderChannel][$packet->orderIndex] = $packet;
+				$this->receiveOrderedPackets[$orderChannel][$packet->orderIndex] = $packet;
 			}else{
 				//duplicate/already received packet
 			}

src/generic/SendReliabilityLayer.php

@@ -169,8 +169,14 @@ public function addEncapsulatedToQueue(EncapsulatedPacket $packet, bool $immedia
 		}
 
 		if($packet->reliability->isOrdered()){
+			if($packet->orderChannel === null){
+				throw new \InvalidArgumentException("Order channel must be set reliability {$packet->reliability->name}");
+			}
 			$packet->orderIndex = $this->sendOrderedIndex[$packet->orderChannel]++;
 		}elseif($packet->reliability->isSequenced()){
+			if($packet->orderChannel === null){
+				throw new \InvalidArgumentException("Order channel must be set for reliability {$packet->reliability->name}");
+			}
 			$packet->orderIndex = $this->sendOrderedIndex[$packet->orderChannel]; //sequenced packets don't increment the ordered channel index
 			$packet->sequenceIndex = $this->sendSequencedIndex[$packet->orderChannel]++;
 		}

src/generic/Session.php

@@ -270,12 +270,16 @@ private function handleEncapsulatedPacketRoute(EncapsulatedPacket $packet) : voi
 	 * @param int $sendPongTime TODO: clock differential stuff
 	 */
 	private function handlePong(int $sendPingTime, int $sendPongTime) : void{
-		$currentTime = $this->getRakNetTimeMS();
-		if($currentTime < $sendPingTime){
-			$this->logger->debug("Received invalid pong: timestamp is in the future by " . ($sendPingTime - $currentTime) . " ms");
+		if($sendPingTime < 0){
+			$this->logger->debug("Received invalid pong: timestamp overflow");
 		}else{
-			$this->lastPingMeasure = $currentTime - $sendPingTime;
-			$this->onPingMeasure($this->lastPingMeasure);
+			$currentTime = $this->getRakNetTimeMS();
+			if($currentTime < $sendPingTime){
+				$this->logger->debug("Received invalid pong: timestamp is in the future by " . ($sendPingTime - $currentTime) . " ms");
+			}else{
+				$this->lastPingMeasure = $currentTime - $sendPingTime;
+				$this->onPingMeasure($this->lastPingMeasure);
+			}
 		}
 	}
 

src/protocol/EncapsulatedPacket.php

@@ -88,9 +88,19 @@ public function toBinary() : string{
 		return
 			chr(($this->reliability->value << self::RELIABILITY_SHIFT) | ($this->splitInfo !== null ? self::SPLIT_FLAG : 0)) .
 			Binary::writeShort(strlen($this->buffer) << 3) .
-			($this->reliability->isReliable() ? Binary::writeLTriad($this->messageIndex) : "") .
-			($this->reliability->isSequenced() ? Binary::writeLTriad($this->sequenceIndex) : "") .
-			($this->reliability->isSequencedOrOrdered() ? Binary::writeLTriad($this->orderIndex) . chr($this->orderChannel) : "") .
+			($this->reliability->isReliable() ?
+				Binary::writeLTriad($this->messageIndex ?? throw new \LogicException("Message index must be set for reliability {$this->reliability->name}")) :
+				""
+			) .
+			($this->reliability->isSequenced() ?
+				Binary::writeLTriad($this->sequenceIndex ?? throw new \LogicException("Sequence index must be set for reliability {$this->reliability->name}")) :
+				""
+			) .
+			($this->reliability->isSequencedOrOrdered() ?
+				Binary::writeLTriad($this->orderIndex ?? throw new \LogicException("Order index must be set for reliability {$this->reliability->name}")) .
+					chr($this->orderChannel ?? throw new \LogicException("Order channel must be set for reliability {$this->reliability->name}")) :
+				""
+			) .
 			($this->splitInfo !== null ? Binary::writeInt($this->splitInfo->getTotalPartCount()) . Binary::writeShort($this->splitInfo->getId()) . Binary::writeInt($this->splitInfo->getPartIndex()) : "")
 			. $this->buffer;
 	}

src/server/Server.php

@@ -18,9 +18,9 @@
 
 use pocketmine\utils\BinaryDataException;
 use raklib\generic\DisconnectReason;
+use raklib\generic\PacketHandlingException;
 use raklib\generic\Session;
 use raklib\generic\SocketException;
-use raklib\generic\PacketHandlingException;
 use raklib\protocol\ACK;
 use raklib\protocol\Datagram;
 use raklib\protocol\EncapsulatedPacket;
@@ -30,6 +30,7 @@
 use raklib\utils\ExceptionTraceCleaner;
 use raklib\utils\InternetAddress;
 use function asort;
+use function assert;
 use function bin2hex;
 use function count;
 use function get_class;
@@ -46,6 +47,8 @@ class Server implements ServerInterface{
 
 	private const RAKLIB_TPS = 100;
 	private const RAKLIB_TIME_PER_TICK = 1 / self::RAKLIB_TPS;
+	private const BLOCK_MESSAGE_SUPPRESSION_THRESHOLD = 2;
+	private const PACKET_ERROR_SUPPRESSION_THRESHOLD = 2;
 
 	protected int $receiveBytes = 0;
 	protected int $sendBytes = 0;
@@ -70,6 +73,10 @@ class Server implements ServerInterface{
 	/** @var int[] string (address) => int (number of packets) */
 	protected array $ipSec = [];
 
+	private int $blockedSinceLastUpdate = 0;
+
+	private int $packetErrorsSinceLastUpdate = 0;
+
 	/** @var string[] regex filters used to block out unwanted raw packets */
 	protected array $rawPacketFilters = [];
 
@@ -91,7 +98,10 @@ public function __construct(
 		private ServerEventListener $eventListener,
 		private ExceptionTraceCleaner $traceCleaner,
 		private int $recvMaxSplitParts = ServerSession::DEFAULT_MAX_SPLIT_PART_COUNT,
-		private int $recvMaxConcurrentSplits = ServerSession::DEFAULT_MAX_CONCURRENT_SPLIT_COUNT
+		private int $recvMaxConcurrentSplits = ServerSession::DEFAULT_MAX_CONCURRENT_SPLIT_COUNT,
+		private int $blockMessageSuppressionThreshold = self::BLOCK_MESSAGE_SUPPRESSION_THRESHOLD,
+		private int $packetErrorSuppressionThreshold = self::PACKET_ERROR_SUPPRESSION_THRESHOLD,
+		private bool $blockIpOnPacketErrors = true
 	){
 		if($maxMtuSize < Session::MIN_MTU_SIZE){
 			throw new \InvalidArgumentException("MTU size must be at least " . Session::MIN_MTU_SIZE . ", got $maxMtuSize");
@@ -182,6 +192,18 @@ private function tick() : void{
 				$this->receiveBytes = 0;
 			}
 
+			$packetErrorsWithoutMessage = $this->packetErrorsSinceLastUpdate - $this->packetErrorSuppressionThreshold;
+			if($packetErrorsWithoutMessage > 0){
+				$this->logger->warning("$packetErrorsWithoutMessage suppressed packet errors - RakLib may be under attack");
+			}
+			$this->packetErrorsSinceLastUpdate = 0;
+
+			$ipsBlockedWithoutMessage = $this->blockedSinceLastUpdate - $this->blockMessageSuppressionThreshold;
+			if($ipsBlockedWithoutMessage > 0){
+				$this->logger->warning("$ipsBlockedWithoutMessage more IP addresses were blocked - RakLib may be under attack");
+			}
+			$this->blockedSinceLastUpdate = 0;
+
 			if(count($this->block) > 0){
 				asort($this->block);
 				$now = time();
@@ -214,6 +236,9 @@ private function receivePacket() : bool{
 		if($buffer === null){
 			return false; //no data
 		}
+		assert($addressIp !== null, "Can't be null if we got a buffer");
+		assert($addressPort !== null, "Can't be null if we got a buffer");
+
 		$len = strlen($buffer);
 
 		$this->receiveBytes += $len;
@@ -279,20 +304,25 @@ private function receivePacket() : bool{
 				}
 			}
 		}catch(BinaryDataException $e){
-			$logFn = function() use ($address, $e, $buffer) : void{
-				$this->logger->debug("Packet from $address (" . strlen($buffer) . " bytes): 0x" . bin2hex($buffer));
-				$this->logger->debug(get_class($e) . ": " . $e->getMessage() . " in " . $e->getFile() . " on line " . $e->getLine());
-				foreach($this->traceCleaner->getTrace(0, $e->getTrace()) as $line){
-					$this->logger->debug($line);
+			if($this->packetErrorsSinceLastUpdate < $this->packetErrorSuppressionThreshold){
+				$logFn = function() use ($address, $e, $buffer) : void{
+					$this->logger->debug("Packet from $address (" . strlen($buffer) . " bytes): 0x" . bin2hex($buffer));
+					$this->logger->debug(get_class($e) . ": " . $e->getMessage() . " in " . $e->getFile() . " on line " . $e->getLine());
+					foreach($this->traceCleaner->getTrace(0, $e->getTrace()) as $line){
+						$this->logger->debug($line);
+					}
+					$this->logger->error("Bad packet from $address: " . $e->getMessage());
+				};
+				if($this->logger instanceof \BufferedLogger){
+					$this->logger->buffer($logFn);
+				}else{
+					$logFn();
 				}
-				$this->logger->error("Bad packet from $address: " . $e->getMessage());
-			};
-			if($this->logger instanceof \BufferedLogger){
-				$this->logger->buffer($logFn);
-			}else{
-				$logFn();
 			}
-			$this->blockAddress($address->getIp(), 5);
+			$this->packetErrorsSinceLastUpdate++;
+			if($this->blockIpOnPacketErrors){
+				$this->blockAddress($address->getIp(), 5);
+			}
 		}
 
 		return true;
@@ -350,10 +380,14 @@ public function blockAddress(string $address, int $timeout = 300) : void{
 		if(!isset($this->block[$address]) or $timeout === -1){
 			if($timeout === -1){
 				$final = PHP_INT_MAX;
-			}else{
-				$this->logger->notice("Blocked $address for $timeout seconds");
+			}
+			if($this->blockedSinceLastUpdate < $this->blockMessageSuppressionThreshold){
+				//Suppress additional log messages if multiple IPs have been banned in quick succession
+				//In the case of IP spoofing attacks we don't want log spam to slow down the server
+				$this->logger->notice("Blocked $address" . ($timeout === -1 ? " forever" : " for $timeout seconds"));
 			}
 			$this->block[$address] = $final;
+			$this->blockedSinceLastUpdate++;
 		}elseif($this->block[$address] < $final){
 			$this->block[$address] = $final;
 		}