RUSTSEC-2019-0033

See a problem?
Please try reporting it to the source first.

Source

https://rustsec.org/advisories/RUSTSEC-2019-0033

Import Source

https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2019-0033.json

JSON Data

https://api.osv.dev/v1/vulns/RUSTSEC-2019-0033

Aliases

Published

2019-11-16T12:00:00Z

Modified

2023-11-08T04:01:32.294723Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Integer Overflow in HeaderMap::reserve() can cause Denial of Service

Details

HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode.

If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).

The flaw was corrected in 0.1.20 release of http crate.

Database specific

{
    "license": "CC0-1.0"
}

References

Affected packages

crates.io / http

Package

Name: http; View open source insights on deps.dev
Purl: pkg:cargo/http

Affected ranges

Type: SEMVER
Events: Introduced

0.0.0-0

Fixed

0.1.20

Ecosystem specific

{
    "affected_functions": null,
    "affects": {
        "os": [],
        "functions": [
            "http::header::HeaderMap::reserve"
        ],
        "arch": []
    }
}

Database specific

{
    "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "informational": null,
    "categories": [
        "denial-of-service"
    ]
}