MC-111859Movement Validation Wrong
The bug
The MC server contains code to the effect of:
private static boolean b(PacketPlayInFlying paramPacketPlayInFlying) { if ((Doubles.isFinite(paramPacketPlayInFlying.a(0.0D))) && (Doubles.isFinite(paramPacketPlayInFlying.b(0.0D))) && (Doubles.isFinite(paramPacketPlayInFlying.c(0.0D))) && (Floats.isFinite(paramPacketPlayInFlying.b(0.0F))) && (Floats.isFinite(paramPacketPlayInFlying.a(0.0F)))) { return false; } if ((Math.abs(paramPacketPlayInFlying.a(0.0D)) > 30000000.0D) || (Math.abs(paramPacketPlayInFlying.c(0.0D)) > 30000000.0D)) { return false; } return true; }
Aside from not checking the magnitude of the Y coord, the first part of the NaN checks can be bypassed as long as magnitude < 3E7.
Sending NaN allows the server to be crashed.
Examples
Sending this packet triggers the watchdog:
new CPacketPlayer.Position(99_999_999, Double.NaN, 50, false)
Here are some samples of the watchdog crashes:
Sending this packet does *not* trigger the watchdog, although it does cause severe lag:
new CPacketPlayer.Position(Double.NaN, 64, 99_999_999, false)
It also generated 2 region files:
- r.-1.58593.mca
- r.0.58593.mca
2016-12-24, 01:46 PM
2017-06-02, 02:03 AM
2017-05-16, 03:03 PM
3
2
NaN, crash, hang, lag, movement, server