You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While fuzzing the ohttp-go package, we noticed that the ReadVarIntSlice function used
to decode QUIC variable length integers in the encoded varInt without initially checking availability.
Since the encoded values are attacker-controllable, a maliciously crafted and encoded
request could prompt the gateway to allocate an excessively large memory segment,
resulting in a Denial-of-Service (DoS).
One can pertinently note that a reference implementation utilizing the ohttp-go library wraps
the entire library into the Golang standard http library, which features a built-in mechanism to
recover from raised panics. However, the library itself should check for a maximum allowed
allocation size and return an error message when this limit is reached.
Affected file:
ohttp-go/bhttp.go
Affected code:
func readVarintSlice(b *bytes.Buffer) ([]byte, error) {
len, err := Read(b)
if err != nil {
return nil, err
}
value := make([]byte, len)
The following test function will trigger the crash by allocating a massive amount of memory:
PoC:
func TestVeryLargeVarInt(t *testing.T) {
data := []uint8{246, 0, 0, 0, 0, 0, 0, 0}
buf := bytes.NewBuffer(data)
readVarintSlice(buf)
}
To mitigate this issue, consider installing appropriate length checks within this
function. This measure serves to ensure that any potentially attacker-controllable arguments
cannot be exploited to induce remote DoS or crashes stemming from out-of-memory and
panic scenarios.
The text was updated successfully, but these errors were encountered:
While fuzzing the ohttp-go package, we noticed that the ReadVarIntSlice function used
to decode QUIC variable length integers in the encoded varInt without initially checking availability.
Since the encoded values are attacker-controllable, a maliciously crafted and encoded
request could prompt the gateway to allocate an excessively large memory segment,
resulting in a Denial-of-Service (DoS).
One can pertinently note that a reference implementation utilizing the ohttp-go library wraps
the entire library into the Golang standard http library, which features a built-in mechanism to
recover from raised panics. However, the library itself should check for a maximum allowed
allocation size and return an error message when this limit is reached.
Affected file:
ohttp-go/bhttp.go
Affected code:
func readVarintSlice(b *bytes.Buffer) ([]byte, error) {
len, err := Read(b)
if err != nil {
return nil, err
}
value := make([]byte, len)
The following test function will trigger the crash by allocating a massive amount of memory:
PoC:
func TestVeryLargeVarInt(t *testing.T) {
data := []uint8{246, 0, 0, 0, 0, 0, 0, 0}
buf := bytes.NewBuffer(data)
readVarintSlice(buf)
}
To mitigate this issue, consider installing appropriate length checks within this
function. This measure serves to ensure that any potentially attacker-controllable arguments
cannot be exploited to induce remote DoS or crashes stemming from out-of-memory and
panic scenarios.
The text was updated successfully, but these errors were encountered: