Describe the bug
A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainably, as the flowing figure shows:
After 100 seconds, over 4000 MB memory has been consumed. If I continue sending the packet, the node will consume all the memory. At last it be killed by the OS.
In order to analyze the reason for this bug, I try to debug the code of the node. Here is what I found:
First, I found that in the file libp2p/P2PMessageRC2.cpp, at line 109 in the function decode:
the variable size is 72 and the variable m_length is a very big number under my packet. So the function will return dev::network::PACKET_INCOMPLETE whose value is 0.
The variable which accepts the return value is result in libnetwork/Session.cpp at line 421 in the function doRead:
ssize_t result = message->decode(s->m_data.data(), s->m_data.size());
Because the value of result is 0, so here the program will call the function doRead recursively. If I delete this call, the problem will not occur anymore.
elseif (result == 0) {
// s->doRead(); break;
}
So I think the reason maybe the developers forget to release certain memory before the return statement if the packet is not decoded correctly!
To Reproduce
Steps to reproduce the behavior:
Construct a P2P packet which claims to have a big length (set a big value for variable m_length)
Continuously send the packet to a running node
The node will consume the memory continuously and crash.
Expected behavior
By handling the abnormal packets correctly, the memory cost will not sustainably increase and the node will not crash.
Screenshots
I have give the screenshots of the memory usage of the node in the description part.
Environment (please complete the following information):
OS: Ubuntu 16.04
FISCO BCOS Version: v2.7.2
Additional context
None!
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Describe the bug

A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainably, as the flowing figure shows:
After 100 seconds, over 4000 MB memory has been consumed. If I continue sending the packet, the node will consume all the memory. At last it be killed by the OS.
In order to analyze the reason for this bug, I try to debug the code of the node. Here is what I found:
First, I found that in the file
libp2p/P2PMessageRC2.cpp, at line 109 in the functiondecode:the variable
sizeis 72 and the variablem_lengthis a very big number under my packet. So the function will returndev::network::PACKET_INCOMPLETEwhose value is 0.The variable which accepts the return value is
resultinlibnetwork/Session.cppat line 421 in the functiondoRead:and the program will enter into a if-else cluse:
Because the value of
resultis 0, so here the program will call the functiondoReadrecursively. If I delete this call, the problem will not occur anymore.So I think the reason maybe the developers forget to release certain memory before the return statement if the packet is not decoded correctly!
To Reproduce
Steps to reproduce the behavior:
m_length)Expected behavior
By handling the abnormal packets correctly, the memory cost will not sustainably increase and the node will not crash.
Screenshots
I have give the screenshots of the memory usage of the node in the description part.
Environment (please complete the following information):
Additional context
None!
The text was updated successfully, but these errors were encountered: