Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix a panic if Noise frame length is too low #2321

Merged
merged 4 commits into from
May 29, 2022
Merged

Fix a panic if Noise frame length is too low #2321

merged 4 commits into from
May 29, 2022

Conversation

tomaka
Copy link
Contributor

@tomaka tomaka commented May 27, 2022

The value in expected_len is read from an incoming networking packet. The networking packet is invalid if expected_len < 16, however it is unwise to do expected_len - 16 as a malicious peer might send an invalid value on purpose.

Rust only detects underflow errors in debug mode. However, in release mode this will lead to a very high value being passed to resize, which will lead to an allocation error.

This bug is technically a vulnerability, as anyone can crash a smoldot light client if it connects to their node. However, since we're not widely used at the moment and that an attacker has nothing to gain except being a nuisance, I'm going to assume that nobody is going to exploit this and skip the non-disclosure period.

mergify[bot]
mergify bot approved these changes May 27, 2022
View reviewed changes
Copy link
Contributor

@mergify mergify bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approving tomaka's pull requests. This auto-approval will be removed once more maintainers are active.

@tomaka
Copy link
Contributor Author

tomaka commented May 27, 2022

Note that this changes the order of operations. Before this PR, we add len_before and expected_len, then subtract 16. After this PR, we first subtract 16. This is intentional and not very important.

@github-actions
Copy link
Contributor

github-actions bot commented May 27, 2022
edited
Loading

twiggy diff report

Difference in .wasm size before and after this pull request.

 Delta Bytes │ Item
─────────────┼──────────────────────────────────────────────────────────────────────────────────
         +10 ┊ smoldot::libp2p::connection::noise::Noise::inject_inbound_data::hbeba5cb020cfd9ec
         +10 ┊ Σ [1 Total Rows]

@tomaka tomaka mentioned this pull request May 27, 2022
Merged
melekes
melekes approved these changes May 29, 2022
View reviewed changes
Copy link
Contributor

@melekes melekes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@tomaka tomaka added the automerge Automatically merge pull request as soon as possible label May 29, 2022
@mergify mergify bot merged commit 4275020 into paritytech:main May 29, 2022
@tomaka tomaka deleted the noise-no-panic branch May 29, 2022 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mergify mergify[bot] mergify[bot] approved these changes

@melekes melekes melekes approved these changes

Assignees
No one assigned
Labels
automerge Automatically merge pull request as soon as possible
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tomaka @melekes