Impact
A "mismatch" type InventoryTransactionPacket is sent by the client to request a resync of all currently open inventories.
Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can be used as a very cheap bandwidth multiplier by making the server send out many MB of data (network serialized inventory items can be very large, especially when dealing with large amounts of NBT).
This is not currently known to have been exploited in the wild.
Patches
This problem was fixed in 4.18.0-ALPHA2 by ca6d514 alongside the introduction of the ItemStackRequest system implementation.
Workarounds
Plugins can handle DataPacketReceiveEvent for InventoryTransactionPacket and check if the type is MismatchTransactionData. If it is, apply some kind of rate limit (e.g. max 1 per tick).
Impact
A "mismatch" type
InventoryTransactionPacketis sent by the client to request a resync of all currently open inventories.Since PocketMine-MP does not rate-limit these "mismatch" transactions, and the syncing of inventories is not deferred until, e.g. the end of the current tick, they can be used as a very cheap bandwidth multiplier by making the server send out many MB of data (network serialized inventory items can be very large, especially when dealing with large amounts of NBT).
This is not currently known to have been exploited in the wild.
Patches
This problem was fixed in 4.18.0-ALPHA2 by ca6d514 alongside the introduction of the
ItemStackRequestsystem implementation.Workarounds
Plugins can handle
DataPacketReceiveEventforInventoryTransactionPacketand check if the type isMismatchTransactionData. If it is, apply some kind of rate limit (e.g. max 1 per tick).