Transport.TransportReceive catches exceptions and disconnects the connection after invalid data was received. (#737)

Assets/Mirror/Runtime/NetworkConnection.cs

@@ -224,6 +224,20 @@ public bool InvokeHandler<T>(T msg) where T : IMessageBase
         //       -> can be tested easily with a 1000ms send delay and then logging amount received in while loops here
         //          and in NetworkServer/Client Update. HandleBytes already takes exactly one.
         public virtual void TransportReceive(byte[] buffer)
+        {
+            // protect against DOS attacks if attackers try to send invalid
+            // data packets to crash the server/client. there are a thousand
+            // ways to cause an exception in data handling:
+            // - invalid headers
+            // - invalid message ids
+            // - invalid data causing exceptions
+            // - negative ReadBytesAndSize prefixes
+            // - invalid utf8 strings
+            // - etc.
+            //
+            // let's catch them all and then disconnect that connection to avoid
+            // further attacks.
+            try
             {
                 // unpack message
                 NetworkReader reader = new NetworkReader(buffer);
@@ -242,6 +256,12 @@ public virtual void TransportReceive(byte[] buffer)
                 }
                 else Debug.LogError("HandleBytes UnpackMessage failed for: " + BitConverter.ToString(buffer));
             }
+            catch (Exception exception)
+            {
+                Disconnect();
+                Debug.LogWarning("Closed connection: " + connectionId + ". This can happen if the other side accidentally (or an attacker intentionally) sent invalid data. Reason: " + exception);
+            }
+        }
 
         public virtual bool TransportSend(int channelId, byte[] bytes, out byte error)
         {