Impact
A remote attacker may crash a server by sending PlayerActionPacket with invalid facing values (e.g. negative), specifically with START_BREAK or CRACK_BLOCK actions, or with a UseItemTransactionData (typically in InventoryTransactionPacket).
Patches
f126479
Workarounds
Using a plugin, cancel DataPacketReceiveEvent if the packet is PlayerActionPacket and the facing is outside the range 0-5 when receiving START_BREAK or CRACK_BLOCK actions, or UseItemTransactionData. However, beware that negative values may be legitimate in some cases.
For more information
If you have any questions or comments about this advisory:
Impact
A remote attacker may crash a server by sending
PlayerActionPacketwith invalid facing values (e.g. negative), specifically withSTART_BREAKorCRACK_BLOCKactions, or with aUseItemTransactionData(typically inInventoryTransactionPacket).Patches
f126479
Workarounds
Using a plugin, cancel
DataPacketReceiveEventif the packet isPlayerActionPacketand the facing is outside the range 0-5 when receiving START_BREAK or CRACK_BLOCK actions, or UseItemTransactionData. However, beware that negative values may be legitimate in some cases.For more information
If you have any questions or comments about this advisory: