Mojira Archive
MC-264672

Max player count can be bypassed using prolonged config phase

Yarn, 23w31a

Introduction

In 23w31a, the new "configuration phase" was introduced. This is a step between login and play phases. Authentication, including ban list and max player count check is done in login phase (PlayerManager#checkCanJoin); the player entity is spawned when transitioning to the play phase (PlayerManager#onPlayerConnect). While the login-config phase transition is automatic, the server does not place the player in play phase unless the client sends the server a packet indicating that the client is ready (ReadyC2SPacket). Notably, the player hasn't "formally" joined during config phase; the player instance is not created yet, and they are not spawned in the world. And since the player instance is not created, PlayerManager#players list that keeps track of players, does not have the player.

This introduces an interesting scenario, where a player is not in the world yet the login succeeded. And the client - potentially malicious - has the power to delay the configuration phase indefinitely.

Bug Detail

Dedicated servers can set the maximum number of players via server.properties. This works by rejecting players at the login phase, if the number of players in game have already reached the limit. The check in PlayerManager#checkCanJoin is: this.players.size() >= this.maxPlayers.

However, since players in configuration phases have already passed the player count check, yet are excluded from calculation of player counts because they are not in PlayerManager#players, and the player can prolong the config phase as long as you like, this allows max player count to be completely ignored.

Exploit method

Clients should have a mod that allows players to delay the sending of ReadyC2SPacket, which is ordinarily sent automatically after receiving ReadyS2CPacket.

  1. Max player count setting should allow 1 more player.
  2. Player A joins, then delays the config phase.
  3. During the extended config phase, Player B joins.
  4. Player A sends the Ready packet to the server, ending the config phase.
  5. Player A and Player B are both in-game, exceeding the max player count by 1.

Of course, if Player B also uses the mod, we can have Player C join as well - allowing infinite number of players to join at once.

Potential fixes

There are multiple potential fixes:

  1. We could call PlayerManager#checkCanJoin after login and configuration. Note that this should still be called in login.
  2. checkCanJoin could check the number of configuration-phase to-be-players as well.

Fixed

apple502j

[Mojang] Timur Nazarov

2023-08-05, 04:46 PM

2023-08-28, 01:04 PM

2023-08-28, 01:04 PM

1

0

Plausible

Important

Platform

Networking

23w31a

23w35a