Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Yesterday, when playing around with my network code, I realized there is a security issue in decode_variant, at least when decoding PoolArrays. Basically, the size of the PoolArray is encoded in a uint32_t, when decoding it, that value is cast to int when comparing if the packet is actually that size causing numbers with MSB=1 to be interpreted as negative thus always passing the check. That same value though, is used as uint32_t again to resize the output vector. For this reason, sending a malformed packet with declared type PoolByteArray and size of 2^31(+x) causes the engine to try to allocate 2+GB of pool memory, causing the engine to crash. This patch is a backport of the one initially written for the master branch.
- Loading branch information
497bc7d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm experiencing the following issue:
Any JSON message read by a PacketPeerStream.get_var() fails with the following:
"Condition ' strlen < 0 || strlen + pad > len ' is true. returned: ERR_FILE_EOF"
Has the API changed? It looks like the new error is being generated by this update. Does this deserve a issue ticket?