fixed GHSA-vgvv-x7xg-6cqg - OOM Denial of Service due to allocation o…

…f untrusted packet size
Eugeny · Aug 14, 2024 · f660ea3 · f660ea3
1 parent 4178268
commit f660ea3
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/russh/src/cipher/mod.rs b/russh/src/cipher/mod.rs
@@ -240,7 +240,13 @@ pub(crate) async fn read<'a, R: AsyncRead + Unpin>(
             buffer.buffer.extend(&len);
             debug!("reading, seqn = {:?}", seqn);
             let len = cipher.decrypt_packet_length(seqn, &len);
-            buffer.len = BigEndian::read_u32(&len) as usize + cipher.tag_len();
+            let len = BigEndian::read_u32(&len) as usize;
+
+            if len > MAXIMUM_PACKET_LEN {
+                return Err(Error::PacketSize(len));
+            }
+
+            buffer.len = len + cipher.tag_len();
             debug!("reading, clear len = {:?}", buffer.len);
         }
     }
@@ -278,5 +284,6 @@ pub(crate) async fn read<'a, R: AsyncRead + Unpin>(
 pub(crate) const PACKET_LENGTH_LEN: usize = 4;
 
 const MINIMUM_PACKET_LEN: usize = 16;
+const MAXIMUM_PACKET_LEN: usize = 256 * 1024;
 
 const PADDING_LENGTH_LEN: usize = 1;
diff --git a/russh/src/lib.rs b/russh/src/lib.rs
@@ -221,6 +221,10 @@ pub enum Error {
     #[error("Wrong server signature")]
     WrongServerSig,
 
+    /// Excessive packet size.
+    #[error("Bad packet size: {0}")]
+    PacketSize(usize),
+
     /// Message received/sent on unopened channel.
     #[error("Channel not open")]
     WrongChannel,