GHSA-3gjh-29fv-8hr6

Suggest an improvement
Source
https://github.com/advisories/GHSA-3gjh-29fv-8hr6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3gjh-29fv-8hr6/GHSA-3gjh-29fv-8hr6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3gjh-29fv-8hr6
Published
2024-02-03T00:18:10Z
Modified
2024-02-03T00:18:10Z
Summary
Nervos CKB Snappy decompress length can be very large and causes out of memory error
Details

Impact

Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of out of memory error.

Patches

The node must check the decompress length before allocating the memory for the message.

References

  • https://github.com/nervosnetwork/ckb/blob/687d797f1888dd05d1f38ce6d1bef3e5b9b6e38b/network/src/compress.rs#L68
  • https://github.com/BurntSushi/rust-snappy/blob/master/src/decompress.rs#L106
  • https://github.com/BurntSushi/rust-snappy/blob/6cfb836463b9b3ac48ca7cd15d0a50d030e95769/src/decompress.rs#L30
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-03T00:18:10Z"
}
References

Affected packages

crates.io / ckb

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.34.2

Database specific

{
    "last_known_affected_version_range": "<= 0.34.1"
}