Impact

TShock has an implementation of a packet sanitizer and validator called Bouncer. This is responsible for preventing many of the common downfalls of a stock Terraria server. However, inconsistencies with using the TilePlacementValid method to check if tile coordinates were within the world bounds allowed a player to DoS attack a server due to unexpectedly large world framing.

Patches

TShock 4.5.5 patches the exploit. The list below shows the corrected methods within Bouncer:

• OnTileEdit: The check was moved to be the first, and will no longer SendTileSquare upon failure.
• OnPlaceObject: The check was moved to be the first, and will no longer SendTileSquare upon failure.
• OnPlaceTileEntity: The check was newly added.
• OnPlaceItemFrame: The check was newly added.
• OnFoodPlatterTryPlacing: The check was newly added.

All subsequent versions include the fix. Due to the nature of this issue, as it effects multiple areas of Bouncer, it would be impossible to denote the specific commit that has introduced this vulnerability.

Workarounds

Update your server to TShock 4.5.5. There are no other known ways to work around this vulnerability's existence.