GHSA-3gjh-29fv-8hr6

Source

https://github.com/advisories/GHSA-3gjh-29fv-8hr6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3gjh-29fv-8hr6/GHSA-3gjh-29fv-8hr6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3gjh-29fv-8hr6

Published

2024-02-03T00:18:10Z

Modified

2024-02-03T00:18:10Z

Summary

Nervos CKB Snappy decompress length can be very large and causes out of memory error

Details

Impact

Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of out of memory error.

Patches

The node must check the decompress length before allocating the memory for the message.

References

https://github.com/nervosnetwork/ckb/blob/687d797f1888dd05d1f38ce6d1bef3e5b9b6e38b/network/src/compress.rs#L68
https://github.com/BurntSushi/rust-snappy/blob/master/src/decompress.rs#L106
https://github.com/BurntSushi/rust-snappy/blob/6cfb836463b9b3ac48ca7cd15d0a50d030e95769/src/decompress.rs#L30

References

https://github.com/nervosnetwork/ckb/security/advisories/GHSA-3gjh-29fv-8hr6

Affected packages

crates.io / ckb

Package

Name: ckb; View open source insights on deps.dev
Purl: pkg:cargo/ckb

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.34.2

Database specific

{
    "last_known_affected_version_range": "<= 0.34.1"
}