Impact
When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics.
This happen when the size is a not a multiple of 8 or is negative.
There were already a note in the NewBitfield documentation:
Panics if size is not a multiple of 8.
But it incomplete and missing from FromBytes's documentation.
This has been replaced by returning an (Bitfield, error) and returning a non nil error if the size is wrong.
Patches
Workarounds
- Ensure
size%8 == 0 && size >= 0 yourself before calling NewBitfield or FromBytes
References
Impact
When feeding untrusted user input into the size parameter of
NewBitfieldandFromBytesfunctions, an attacker can triggerpanics.This happen when the
sizeis a not a multiple of8or is negative.There were already a note in the
NewBitfielddocumentation:But it incomplete and missing from
FromBytes's documentation.This has been replaced by returning an
(Bitfield, error)and returning a non nil error if the size is wrong.Patches
Workarounds
size%8 == 0 && size >= 0yourself before callingNewBitfieldorFromBytesReferences