Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Eager allocation of byte buffer can cause `java.lang.OutOfMemoryError` exception (CVE-2020-28491)
See original GitHub issueCBORParser.java _finishBytes() accepts an unchecked field string length value discovered during parsing, and is used to allocated a buffer. A malicious payload can be fabricated to exploit this and (at least) cause a java.lang.OutOfMemoryError exception.
@SuppressWarnings("resource")
protected byte[] _finishBytes(int len) throws IOException
{
// First, simple: non-chunked
if (len >= 0) {
if (len == 0) {
return NO_BYTES;
}
byte[] b = new byte[len]; <-- OutOfMemoryError here if len is large
I am not sure how serious this is in java. With an unmanaged runtime this would be critical security vulnerability.
For example, the following CBOR data (discovered by a fuzzer) leads to len = 2147483647 and triggers this exception on my laptop.
d9d9f7a35a7ffffffff7d9f7f759f7f7f7
This can probably be addressed by simple sanity checking of the len value (non-negative, some max limit).
Issue Analytics
- State:
- Created 4 years ago
- Comments:17 (14 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
What I mean is that with this problem, an attacker can use a very small payload to cause this big allocation, possibly causing denial of service with little effort. If the buffer were to grow incrementally while reading, the attacker would need to follow up the length header they sent with actual data to make an impact on memory consumption.
Another possibility would be not pre-allocating the buffer for large sizes and instead using a ByteArrayOutputStream-like growing scheme. It’s slightly less efficient if the full data does come in, but an attacker would have to actually send the data she is claiming to cause a DoS, which makes an attack more difficult.