Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory #394

Merged
merged 2 commits into from
Sep 25, 2020
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions crates/ws/RUSTSEC-0000-0000.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
[advisory]
id = "RUSTSEC-0000-0000"
package = "ws"
date = "2019-09-25"
title = "Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory"

url = "https://github.com/housleyjk/ws-rs/issues/291"

categories = ["denial-of-service"]
keywords = ["websocket", "dos", "ddos","oom", "memory", "remotely"]

description = """
Affected versions of this crate did not properly check and cap the growth of the outgoing buffer.

This allows a remote attacker to take down the process by growing the buffer of their (single) connection until the process runs out of memory it can allocate and is killed.

The flaw was corrected in the [`parity-ws` fork](https://crates.io/crates/parity-ws) (>0.10.0) by [disconnecting a client when the buffer runs full](https://github.com/housleyjk/ws-rs/pull/328).
"""

[versions]
patched = []
Copy link
Contributor Author

@gnunicorn gnunicorn Sep 25, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As said in the description, we tried to contact the maintainers, but it seems the crate isn't actively maintained, so no fixed version has been published yet. I know this is a mandatory field, so I'd like to know how we want to deal with this.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could file another advisory marking ws-rs unmaintained and suggesting your fork instead; see e.g. https://rustsec.org/advisories/RUSTSEC-2016-0005.html