From ae14eb8ccb56f6b12e210a145837f4545607f416 Mon Sep 17 00:00:00 2001 From: Andrew Steinborn Date: Sat, 23 Nov 2019 01:06:00 -0500 Subject: [PATCH] Fix potential UDP speculative reflection attack --- .../proxy/protocol/netty/GS4QueryHandler.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/proxy/src/main/java/com/velocitypowered/proxy/protocol/netty/GS4QueryHandler.java b/proxy/src/main/java/com/velocitypowered/proxy/protocol/netty/GS4QueryHandler.java index 8bcda72de..b3407c980 100644 --- a/proxy/src/main/java/com/velocitypowered/proxy/protocol/netty/GS4QueryHandler.java +++ b/proxy/src/main/java/com/velocitypowered/proxy/protocol/netty/GS4QueryHandler.java @@ -18,6 +18,7 @@ import io.netty.channel.SimpleChannelInboundHandler; import io.netty.channel.socket.DatagramPacket; import java.net.InetAddress; import java.nio.charset.StandardCharsets; +import java.security.SecureRandom; import java.util.Collection; import java.util.Collections; import java.util.Iterator; @@ -59,6 +60,7 @@ public class GS4QueryHandler extends SimpleChannelInboundHandler private final Cache sessions = CacheBuilder.newBuilder() .expireAfterWrite(30, TimeUnit.SECONDS) .build(); + private final SecureRandom random; private volatile @MonotonicNonNull List pluginInformationList = null; @@ -67,6 +69,7 @@ public class GS4QueryHandler extends SimpleChannelInboundHandler public GS4QueryHandler(VelocityServer server) { this.server = server; + this.random = new SecureRandom(); } private QueryResponse createInitialResponse() { @@ -111,7 +114,7 @@ public class GS4QueryHandler extends SimpleChannelInboundHandler switch (type) { case QUERY_TYPE_HANDSHAKE: { // Generate new challenge token and put it into the sessions cache - int challengeToken = ThreadLocalRandom.current().nextInt(); + int challengeToken = random.nextInt(); sessions.put(senderAddress, challengeToken); // Respond with challenge token