[Crash/Fuzzing] memory exhaustion / OOM when parsing invalid ENR string.

[pventuzelo]

Describe the bug

During fuzzing with beaconfuzz, I found that the following input leads to a memory exhaustion failure (Out Of Memory - OOM). This issue will lead to a complete denial of service (DoS) of the nodejs and the server when trying to allocate to much memory.

Expected behavior

Should throw an Error since this enr string is invalid.

zcli reject this ENR recort string with the following message:

$ zcli net enr 7969
input: 7969
invalid ENR RLP encoding
rlp: value size exceeds available input length

Steps to Reproduce

oom_enr_lodestar.js:

var discv5 = require("@chainsafe/discv5");

buf = Buffer.from('656e723a37393639', 'hex').toString()
console.log(buf)

discv5.ENR.decodeTxt(buf);

Run:

$ npm i @chainsafe/discv5

$ nodejs oom_enr_lodestar.js

<--- Last few GCs --->

[14612:0x4582190]    61745 ms: Mark-sweep 2134.5 (2142.4) -> 2132.3 (2142.4) MB, 2009.7 / 0.0 ms  (average mu = 0.086, current mu = 0.012) allocation failure scavenge might not succeed
[14612:0x4582190]    63989 ms: Mark-sweep 2134.5 (2142.4) -> 2133.0 (2142.4) MB, 2231.8 / 0.0 ms  (average mu = 0.045, current mu = 0.005) allocation failure scavenge might not succeed


<--- JS stacktrace --->

==== JS stack trace =========================================

    0: ExitFrame [pc: 0x13cb519]
    1: StubFrame [pc: 0x141496f]
Security context: 0x201b86fc08d1 <JSObject>
    2: _decode(aka _decode) [0xbb63579c6b9] [/home/scop/node_modules/rlp/dist/index.js:~98] [pc=0x30c481309c1a](this=0x2115084004b1 <undefined>,0x3720581b5c21 <Uint8Array map = 0x1508c8ba52d9>)
    3: _decode(aka _decode) [0xbb63579c6b9] [/home/scop/node_modules/rlp/dist/index.js:~98] [pc=0x30c48130a638](this=0x2115084004b1 <undef...

FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory
 1: 0xa07f90 node::Abort() [nodejs]
 2: 0xa0839c node::OnFatalError(char const*, char const*) [nodejs]
 3: 0xb80d9e v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [nodejs]
 4: 0xb81119 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [nodejs]
 5: 0xd2d875  [nodejs]
 6: 0xd2df06 v8::internal::Heap::RecomputeLimits(v8::internal::GarbageCollector) [nodejs]
 7: 0xd3a785 v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) [nodejs]
 8: 0xd3b635 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [nodejs]
 9: 0xd3e0ec v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationType, v8::internal::AllocationOrigin, v8::internal::AllocationAlignment) [nodejs]
10: 0xd04cbb v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationType, v8::internal::AllocationOrigin) [nodejs]
11: 0x10464be v8::internal::Runtime_AllocateInYoungGeneration(int, unsigned long*, v8::internal::Isolate*) [nodejs]
12: 0x13cb519  [nodejs]
[1]    14612 abort (core dumped)  nodejs oom_enr_lodestar.js

Desktop (please complete the following information):

• OS: Ubuntu 18.04
• @chainsafe/discv5: 0.2.4
• node -v: v12.9.1

[pventuzelo]

Similar bug has been found by @Daft-Wullie using beacon-fuzz.

I'm pretty sure it's the same but I let you check with this reproducer:

var discv5 = require("@chainsafe/discv5");
buf = Buffer.from("656e723a2d4b7534514147774f54395374716d7749354c486149796d494f346f6f464b664e6b456a576130663150384f73456c67426832496a622d4772445f2d623157346b635046635f5f5f5f5f5f676d6c6b676e5930676d6c7768424c663232346b63504663776d534a6332566a634449314e6d73786f514a78436e4536765f723a2d4b7534514147774f7832656b67595f756f45317274777a764754395374716d7749354c486149796d494f346f6f6d6c7768424c663232534a6332567934306d7139654436365866485042576749494e315a4843434436410a6a632749314e6d73786f514a78436e4536765f7832656b67595f756f45312a7274777a76477934306d7139654436365866485042576749494e315a4843434436410a", 'hex').toString()
console.log(buf)
discv5.ENR.decodeTxt(buf);

[pventuzelo]

Fixed