Skip to content

CVE-2016-6580 #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 4, 2016
Merged

CVE-2016-6580 #23

merged 4 commits into from
Aug 4, 2016

Conversation

Lukasa
Copy link
Member

@Lukasa Lukasa commented Aug 4, 2016

The library is vulnerable to a denial of service attack whereby a remote peer
can insert an unbounded number of streams into the priority tree. This consumes
unbounded memory and also increasingly large amounts of CPU, which can
lead to a trivial denial of service against a HTTP/2 server. This vulnerability
is part of a class of vulnerabilities originally reported in this report,
under the section "Victim 3-Dependency and Priority". The document notes in
passing that the dependency tree size is not limited, and that "a server that
naively trusts the client may be foiled to build a dependency tree that will
consume its memory". This is exactly the attack that the priority library is
exposed to.

Sample code to reproduce the vulnerability is below:

import priority

tree = priority.PriorityTree()
x = 1

while True:
    tree.insert_stream(x)
    x += 1

This code will run indefinitely, and eventually exhaust the memory available
to it.

@Lukasa Lukasa merged commit 7d01a7d into master Aug 4, 2016
@Lukasa Lukasa deleted the issue/22 branch August 4, 2016 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Lukasa