Skip to content

limit remote state header values#357

Merged
tgross merged 1 commit into
masterfrom
NMD1523
Jul 7, 2026
Merged

limit remote state header values#357
tgross merged 1 commit into
masterfrom
NMD1523

Conversation

@tgross

@tgross tgross commented Jul 7, 2026

Copy link
Copy Markdown
Member

The header of a push-pull state message contains a count of nodes and user state length. As an optimization, both of these fields are used to pre-allocate memory to receive the remote state before copying it off the wire. But if the header mismatches the actual state, a very small pull-push state message (or at least one below the message size limit) can be used to consume excess memory on the receiver.

Limit the memory allocated such that the maximum amount allocated cannot exceed the maximum actual size of the push-pull state, either in number of nodes or size of the user state.

Ref: https://hashicorp.atlassian.net/browse/SECVULN-42161
Ref: https://hashicorp.atlassian.net/browse/NMD-1523

The header of a push-pull state message contains a count of nodes and user state
length. As an optimization, both of these fields are used to pre-allocate memory
to receive the remote state before copying it off the wire. But if the header
mismatches the actual state, a very small pull-push state message (or at least
one below the message size limit) can be used to consume excess memory on the
receiver.

Limit the memory allocated such that the maximum amount allocated cannot exceed
the maximum actual size of the push-pull state, either in number of nodes or
size of the user state.

Ref: https://hashicorp.atlassian.net/browse/SECVULN-42161
Ref: https://hashicorp.atlassian.net/browse/NMD-1523
@tgross
tgross requested a review from a team as a code owner July 7, 2026 13:05
@tgross
tgross merged commit 371698b into master Jul 7, 2026
9 of 11 checks passed
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 7, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 7, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 7, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 8, 2026
readUserMsg sizes make([]byte, header.UserMsgLen) from the wire header with no bound, so a small userMsg frame declaring a large length forces a large allocation on the receiver. This is the userMsg path of the same issue hashicorp#357 fixed for push-pull state.
@tgross

tgross commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 9, 2026
readUserMsg sizes make([]byte, header.UserMsgLen) from the wire header with no bound, so a small userMsg frame declaring a large length forces a large allocation on the receiver. This is the userMsg path of the same issue hashicorp#357 fixed for push-pull state.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 9, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 9, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 10, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 10, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 10, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 10, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 11, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 11, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 11, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 11, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 13, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
joakimhellum added a commit to pigeon-as/memberlist that referenced this pull request Jul 14, 2026
A max incarnation in a suspect/dead/alive message overflows refute() and lets one message permanently evict a node. Ignore incarnations above a limit on ingestion, the same way hashicorp#357 bounds the push-pull header.

Fixes hashicorp#358.
tgross pushed a commit that referenced this pull request Jul 14, 2026
readUserMsg sizes make([]byte, header.UserMsgLen) from the wire header with no bound, so a small userMsg frame declaring a large length forces a large allocation on the receiver. This is the userMsg path of the same issue #357 fixed for push-pull state.

Fixes: #360
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants