Snappy decompress length can be very large and causes out of memory error

Impact

Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of out of memory error.

Patches

The node must check the decompress length before allocating the memory for the message.

References

ckb/network/src/compress.rs

Line 68 in 687d797

match SnapDecoder::new().decompress_vec(&self.inner[1..]) {
https://github.com/BurntSushi/rust-snappy/blob/master/src/decompress.rs#L106
https://github.com/BurntSushi/rust-snappy/blob/6cfb836463b9b3ac48ca7cd15d0a50d030e95769/src/decompress.rs#L30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Snappy decompress length can be very large and causes out of memory error

Package

Affected versions

Patched versions

Description

Impact

Patches

References

Severity

CVE ID

Weaknesses

Credits