From 71d124637471ad2c24ded1bb8f8f8fecb718c3ec Mon Sep 17 00:00:00 2001 From: Janmm14 Date: Wed, 28 Apr 2021 16:52:00 +1000 Subject: [PATCH] #3066: Put ReadTimeoutHandler after frame decoder. This reduces the impact of attacks that send a large packet size first and then send data very slowly but frequently enough to not trigger a timeout (as the timeout handler was before the Varint21FrameDecoder). This causes connections to stay open for a long time without much effort from an attacker, while the packet never leaves the Varint21FrameDecpder stage of the netty pipeline (causing no additional checks to happen and no logs of the connection to be created). This will not have an impact on bad connections as without recieving full packets the underlying spigot server would timeout instead. --- proxy/src/main/java/net/md_5/bungee/netty/PipelineUtils.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxy/src/main/java/net/md_5/bungee/netty/PipelineUtils.java b/proxy/src/main/java/net/md_5/bungee/netty/PipelineUtils.java index afc2c12a..1533eadc 100644 --- a/proxy/src/main/java/net/md_5/bungee/netty/PipelineUtils.java +++ b/proxy/src/main/java/net/md_5/bungee/netty/PipelineUtils.java @@ -172,8 +172,8 @@ public class PipelineUtils ch.config().setAllocator( PooledByteBufAllocator.DEFAULT ); ch.config().setWriteBufferWaterMark( MARK ); - ch.pipeline().addLast( TIMEOUT_HANDLER, new ReadTimeoutHandler( BungeeCord.getInstance().config.getTimeout(), TimeUnit.MILLISECONDS ) ); ch.pipeline().addLast( FRAME_DECODER, new Varint21FrameDecoder() ); + ch.pipeline().addLast( TIMEOUT_HANDLER, new ReadTimeoutHandler( BungeeCord.getInstance().config.getTimeout(), TimeUnit.MILLISECONDS ) ); ch.pipeline().addLast( FRAME_PREPENDER, framePrepender ); ch.pipeline().addLast( BOSS_HANDLER, new HandlerBoss() );