Unmarshaling malicious data with variable-length array without specified size can lead to extensive memory usage

[bartekn]

There is a bug in go-xdr (I wasn't able to create an issue there) when trying to unmarshal variable-length array without specified size. Take a look at this union:

union StellarMessage switch (MessageType type)
{
  // ...

case GET_PEERS:
    void;
case PEERS:
    PeerAddress peers<>;

  // ...
}

We can create a special StellarMessage that looks like:

$ echo "AAAABX///9AAAAAAAAECAwAAAFAAAABk" | base64 -D | hexdump -C
00000000  00 00 00 05 7f ff ff d0  00 00 00 00 00 01 02 03  |................|
                      ^^^^^^^^^^^
00000010  00 00 00 50 00 00 00 64                           |...P...d|
00000018

Bytes marked with ^ represent the size of an array, which should be 1 since it contains only one address, but it has been changed to some very large number. As a result go-xdr is trying to allocate a large chunk of memory for the array that in reality is really small. Here's a little proof-of-concept:

package main

import (
  "github.com/stellar/go/xdr"
)

func main() {
  var message xdr.StellarMessage
  xdr.SafeUnmarshalBase64("AAAABX///9AAAAAAAAECAwAAAFAAAABk", &message)
}

A fix should check if the number of remaining bytes is less than or equal the specified size before allocating memory (you can check how it's works in xdrpp).

[nullstyle]

Let's move this to go-xdr. Issues being disabled on that repo was an accident.