-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
encoding/binary: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs #40618
Labels
Milestone
Comments
Change https://golang.org/cl/247120 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 6, 2020
This CL ensures that ReadUvarint consumes only a limited amount of input (instead of an unbounded amount). On some inputs, ReadUvarint could read an arbitrary number of bytes before deciding to return an overflow error. After this CL, ReadUvarint returns that same overflow error sooner, after reading at most MaxVarintLen64 bytes. Fix authored by Robert Griesemer and Filippo Valsorda. Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon for reporting this. Fixes #40618 Fixes CVE-2020-16845 Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099 Reviewed-by: Filippo Valsorda <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/247120 Run-TryBot: Katie Hockman <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Alexander Rakoczy <[email protected]>
9 tasks
alessio
pushed a commit
to cosmos/cosmos-sdk
that referenced
this issue
Oct 15, 2020
Update tendermint to 0.33.8, see [1] for more information. [1] golang/go#40618
9 tasks
alessio
pushed a commit
to cosmos/cosmos-sdk
that referenced
this issue
Oct 15, 2020
Update tendermint to 0.33.8, see [1] for more information. [1] golang/go#40618
Closed
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Certain invalid inputs to
ReadUvarint
orReadVarint
could cause those functions to read an unlimited number of bytes from theByteReader
argument before returning an error. This could lead to processing more input than expected when the caller is reading directly from the network and depends onReadUvarint
andReadVarint
only consuming a small, bounded number of bytes, even from invalid inputs.With the update,
ReadUvarint
andReadVarint
now always return after consuming a bounded number of bytes (specifically,MaxVarintLen64
, which is 10). The result being returned has not changed; the functions merely detect and return some errors without reading as much input.Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani, and Preston Van Loon for reporting this issue.
This issue is CVE-2020-16845.
The text was updated successfully, but these errors were encountered: