Potential infinite loop in binary packet decoding #357

yhx-12243 · 2024-08-14T13:41:13Z

Describe the bug
When server receive a binary packet (45...) without -, it will get a infinite loop.

https://github.com/Totodore/socketioxide/blob/d796728/socketioxide/src/packet.rs#L456-L458

To Reproduce
Steps to reproduce the behavior:
Let engineIo be the official engine-io client.

sock = new engineIo();
sock.send('0');
sock.send('5');

(No rejection, No further ping-pong, CPU got 100%)

Expected behavior
Refuse this packet.

Versions (please complete the following information):

Socketioxide version: 0.14.0
Http lib: 1.1.0
Socket.io client version: manual hacking

The text was updated successfully, but these errors were encountered:

yhx-12243 added the bug Something isn't working label Aug 14, 2024

yhx-12243 assigned Totodore Aug 14, 2024

Totodore added the vulnerability This reference a vulnerability found on socketioxide or engineioxide label Aug 14, 2024

yhx-12243 added a commit to yhx-12243/socketioxide that referenced this issue Aug 14, 2024

fix: reject invalid binary event (resolve Totodore#357)

7fbe726

Totodore closed this as completed in 618cb98 Aug 14, 2024

Totodore mentioned this issue Aug 14, 2024

chore(deps): v0.14.1 #359

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Potential infinite loop in binary packet decoding #357

Potential infinite loop in binary packet decoding #357

yhx-12243 commented Aug 14, 2024 •

edited

Loading

Potential infinite loop in binary packet decoding #357

Potential infinite loop in binary packet decoding #357

Comments

yhx-12243 commented Aug 14, 2024 • edited Loading

yhx-12243 commented Aug 14, 2024 •

edited

Loading