-
Notifications
You must be signed in to change notification settings - Fork 502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack overflow when parsing message #267
Comments
Wow nice, thanks for the report. Getting a stack trace, if possible, would be super great if you are still looking at this (otherwise no worries, it should be easy to repro thanks to your repo). We have some fuzzers in-tree, but they haven't dug this up. That's something to be investigated as well, or maybe we can just upstream you're test into |
I found it, I believe it's this recursive call within |
It likely would with longer input. |
@dbrgn thanks again for the report, and thorough repro. Fix has been released in 0.6.1; more details are in the release notes: https:/danburkert/prost/releases/tag/v0.6.1. Additionally I filed #270 to track better fuzz testing through afl. |
Great, thank you for the very fast response! 🙂 I will also file a RUSTSEC advisory, since this could be used for DoS if untrusted input is fed to the parser. |
Note that in absence of stack probes on architectures like ARM, stack overflow is unsound and can result in potential memory corruption (or even RCE), so it's worse than DoS. Fortunately x86/x86_64 has stack probes. |
Oh, that's a good point! I wasn't aware of that. I'll file a RUSTSEC advisory. In that case, should I put it both in "denial-of-service" and "memory-corruption" categories? |
Yup, sounds good. |
Assigned |
Are 0.5 versions affected? If so, is it possible to backport the fix? |
0.5.x have no stack overflow protections at all, so yes. There will be no backport, as I don't have the resources to maintain backports. |
I tried to visit the link listed: https:/danburkert/prost/issues/267 but it was unavailable. I saw that this is a fork so I found the issue in the original(?) repo: tokio-rs/prost#267, so I propose to change the link (or remove the line).
When parsing certain messages, the process aborts with a stack overflow.
I made a reproducer:
Potentially the data requests allocation of a buffer that's larger than the actually available data? (23 KiB input data is not that large...)
(Found through afl.rs)
The text was updated successfully, but these errors were encountered: