Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connection.readLP not protected against unreasonable sizes #69

Closed
arnetheduck opened this issue Feb 4, 2020 · 3 comments
Closed

Connection.readLP not protected against unreasonable sizes #69

arnetheduck opened this issue Feb 4, 2020 · 3 comments

Comments

@arnetheduck
Copy link
Contributor

https://github.com/status-im/nim-libp2p/blob/691efaa8a12a4055719fd9fb1b91b46e1944c12a/libp2p/connection.nim#L112

since the remote end sends a size first, it can force the application to try to allocate ridiculous amounts of memory - should require a max length.
@cheatfate
Copy link
Contributor

@arnetheduck but it is covered with check for size < DefaultReadSize.

@arnetheduck
Copy link
Contributor Author

right, missed it

@sinkingsugar
Copy link
Contributor

Btw this is kinda wrong, the value of DefaultReadSize is not in the spec, and prevents mplex 1MB max size messages too.
See: #74 (comment)
Also chronos seems to fail with big sizes in stream transport somehow status-im/nim-chronos#72

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arnetheduck @cheatfate @sinkingsugar