-
-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability to attacks because there is no size limit #186
Comments
I agree, this should probably be fixed! |
I think BufRead requires something like: https://doc.rust-lang.org/stable/std/io/trait.BufRead.html#method.read_line |
I would probably not use the impl in std and write our own. |
This issue should be created in |
IMO both |
It sounds like the best way forward might be to add an optional I'm not clear on why the same lines utility combinator exists in tokio-io and futures-util -- is the former going to be dropped? |
This could be a possible solution:
|
This should be possible to add to |
## Motivation Currently, there is a potential denial of service vulnerability in the `lines` codec. Since there is no bound on the buffer that holds data before it is split into a new line, an attacker could send an unbounded amount of data without sending a `\n` character. ## Solution This branch adds a `new_with_max_length` constructor for `LinesCodec` that configures a limit on the maximum number of bytes per line. When the limit is reached, the the overly long line will be discarded (in `max_length`-sized increments until a newline character or the end of the buffer is reached. It was also necessary to add some special-case logic to avoid creating an empty line when the length limit is reached at the character immediately _before_ a `\n` character. Additionally, this branch adds new tests for this function, including a test for changing the line limit in-flight. ## Notes This branch makes the following changes from my original PR with this change (#590): - The whole too-long line is discarded at once in the first call to `decode` that encounters it. - Only one error is emitted per too-long line. - Made all the changes requested by @carllerche in #590 (comment) Fixes: #186 Signed-off-by: Eliza Weisman <eliza@buoyant.io>
While now there is an easier way to read lines with a maximum limit, this still doesn't address the issue that the easiest to use API will result with unsafe behavior. Instead of buffered reader, you need to be aware of the LinesCodec and FramedReader. Unfortunately, there is nothing about using |
tokio/tokio-io/src/lines.rs
Line 48 in 687871d
read_line function seems vulnerable to attack. If an attacker sends data continually without "\r\n" the size of buffer (String) would keep growing without a limit.
The text was updated successfully, but these errors were encountered: