Skip to content

DoS via unbounded recursive deserialization in geoprobe #2915

New issue
New issue
Closed
Closed
DoS via unbounded recursive deserialization in geoprobe#2915
Milestone
Geo Location
@ben-dz

Description

@ben-dz
ben-dz
opened on Feb 10, 2026

Description

The LocationOffset.unmarshalHelper function recursively unmarshals reference chains without any depth limit. An attacker can craft a malicious UDP packet with NumReferences=255 pointing to deeply nested or circular reference structures, causing stack exhaustion and crashing the service.

Location

controlplane/telemetry/internal/geoprobe/offset.go:110-115

Impact

Denial of Service (DoS) - can crash the telemetry service by sending specially crafted UDP packets

Recommendation

  1. Add a maximum depth constant (e.g., MaxReferenceDepth = 10)
  2. Pass a depth counter through the recursive unmarshalHelper calls
  3. Return an error when depth is exceeded
  4. Validate that NumReferences matches the actual length of References after unmarshaling

References

From security review findings in docs/reviews-2901.md

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions