GHSA-xc7j-wj36-qjfr: PocketMine-MP BookEditPacket crash when inventory slot in the packet is invalid

March 6, 2024

Summary

If a client sends a BookEditPacket with InventorySlot greater than 35, the server will crash due to an unhandled exception thrown by BaseInventory->getItem().

Details

Crashes at https://github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php#L873

PoC

Using Gophertunnel, use serverConn.WritePacket(&packet.BookEdit{InventorySlot: 36})

Impact

Server crash, all servers

Patched versions

This issue was fixed by 47f011966092f275cc1b11f8de635e89fd9651a7, and the fix was released in 5.11.2.

References

github.com/advisories/GHSA-xc7j-wj36-qjfr
github.com/pmmp/PocketMine-MP
github.com/pmmp/PocketMine-MP/blob/b744e09352a714d89220719ab6948a010ac636fc/src/network/mcpe/handler/InGamePacketHandler.php
github.com/pmmp/PocketMine-MP/commit/47f011966092f275cc1b11f8de635e89fd9651a7
github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xc7j-wj36-qjfr

Detect and mitigate GHSA-xc7j-wj36-qjfr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →