Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Memory is not secure and may be vulnerable to attacks #376

Open
@blacksun1977

Description

@blacksun1977

Memory is not secure and may be vulnerable to attacks.
see the code:

file : decode_slice.go

func (d*Decoder)decodeSlice(cbyte) ([]interface{},error) {n,err:=d.arrayLen(c)iferr!=nil {returnnil,err}ifn==-1 {returnnil,nil}s:=make([]interface{},0,n)// dangerous codefori:=0;i<n;i++ {v,err:=d.decodeInterfaceCond()iferr!=nil {returnnil,err}s=append(s,v)}returns,nil}

If someone modifies the length of the array to 1m, they will request at least 1M of memory. If it is a N dimensional array, N*1M of memory will be required, which can easily lead to memory request attacks
I think safe code should be like this:

varsliceAllocLen=64// configurable or suggested lengthfunc (d*Decoder)decodeSlice(cbyte) ([]interface{},error) {n,err:=d.arrayLen(c)iferr!=nil {returnnil,err}ifn==-1 {returnnil,nil}ifn>sliceAllocLen {n=sliceAllocLen}s:=make([]interface{},0,n)// dangerous codefori:=0;i<n;i++ {v,err:=d.decodeInterfaceCond()iferr!=nil {returnnil,err}s=append(s,v)}returns,nil}

I don't think we should trust the length of arrays in data stream,
it is necessary to limit the length of the array and also limit its recursive depth.

If we can determine the remaining length of the input stream, it can be easily determined to make it more efficient. For example, if there are 1024 bytes left, the length of the array will not exceed 1024

I used translation software, please forgive any unclear descriptions

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions


      [8]ページ先頭

      ©2009-2025 Movatter.jp