Audit for use of size_hint coming from untrusted data #744
Labels
Comments
|
See rust-lang-deprecated/rustc-serialize#150 for some similar discussion. |
|
we can never protect against oom. If enough data comes from a stream, we will end up allocating too much memory at some point. |
|
do bincode and similar check whether the number of hinted elements is also the number of deserialized elements? Otherwise another attack is to always suggest 4096 elements (or whatever the limit is), and only deserialize one element. Since the allocations are never shrunk, we waste a lot of memory. |
|
Bincode can only succeed if 4096 elements were deserialised in that case. |
|
Let's continue to track this under #850. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@nox pointed out in IRC that Bincode sequence and map deserializers provide a size_hint that comes straight from the input, and untrusted Bincode data could put a fake large number there. If a Deserialize type takes that hint and uses it for Vec::with_capacity, it could be bad.
Let's look through existing formats to see how prevalent this is and try to come up with guidelines for avoiding this problem.
The text was updated successfully, but these errors were encountered: