GHSA-3gjh-29fv-8hr6 – ckb

Package

Manager: cargo
Name: ckb
Vulnerable Version: >=0 <0.34.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Nervos CKB Snappy decompress length can be very large and causes out of memory error ### Impact Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of out of memory error. ### Patches The node must check the decompress length before allocating the memory for the message. ### References * https://github.com/nervosnetwork/ckb/blob/687d797f1888dd05d1f38ce6d1bef3e5b9b6e38b/network/src/compress.rs#L68 * https://github.com/BurntSushi/rust-snappy/blob/master/src/decompress.rs#L106 * https://github.com/BurntSushi/rust-snappy/blob/6cfb836463b9b3ac48ca7cd15d0a50d030e95769/src/decompress.rs#L30

Metadata

Created: 2024-02-03T00:18:10Z
Modified: 2024-02-03T00:18:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3gjh-29fv-8hr6/GHSA-3gjh-29fv-8hr6.json
CWE IDs: []
Alternative ID: N/A
Finding: F067
Auto approve: 1