Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/net/dns/dnsmessage: uses untrusted data to pre-allocate slices #23214

Closed
lmb opened this issue Dec 21, 2017 · 2 comments
Closed

x/net/dns/dnsmessage: uses untrusted data to pre-allocate slices #23214

lmb opened this issue Dec 21, 2017 · 2 comments
Labels
FrozenDueToAge
Milestone
Unreleased

Comments

@lmb
Copy link
Contributor

lmb commented Dec 21, 2017

I think there is a potential DoS in Message.Unpack if the function is used on untrusted data, since Message.Question, etc. are pre-allocated to the length indicated in p.header. An attacker can make the function allocate a few MiB of wasted memory per call, which in turn can stall the program by pressuring the GC and raising pause times.
@gopherbot gopherbot added this to the Unreleased milestone Dec 21, 2017
@gopherbot
Copy link

Change https://golang.org/cl/85135 mentions this issue: dns/dnsmessage: Don't use untrusted data to pre-allocate slices

@mikioh mikioh changed the title x/net: dnsmessage uses untrusted data to pre-allocate slices x/net/dnsmessage: uses untrusted data to pre-allocate slices Dec 22, 2017
@mikioh
Copy link
Contributor

mikioh commented Dec 22, 2017

/CC @iangudger

@mikioh mikioh changed the title x/net/dnsmessage: uses untrusted data to pre-allocate slices x/net/dns/dnsmessage: uses untrusted data to pre-allocate slices Dec 25, 2017
@golang golang locked and limited conversation to collaborators Feb 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
3 participants
@mikioh @lmb @gopherbot