trezor-firmware icon indicating copy to clipboard operation
trezor-firmware copied to clipboard

Published 20 hours ago verified publisher icon trezor

Memory exhaustion in trezorlib protobuf parser

Open matejcik opened this issue 3 years ago • 1 comments
trafficstars

As reported by @invd: a crafted protobuf message can cause trezorlib's protobuf parser to allocate a huge chunk of memory, possibly causing denial of service on the host PC.

Given that this cannot happen with a legitimate Trezor, fixing the issue is mostly a matter of hardening the codebase.

The simplest solution is to introduce a static maximum field size for decode_length_delimited_field https://github.com/trezor/trezor-firmware/blob/ef47c262720be8b21671e85d7af68c547ad1955e/python/src/trezorlib/protobuf.py#L335-L345

Trezor can send around 16 kB of data in one go, so setting the limit to 128 kB seems reasonable.

matejcik avatar Aug 05 '22 13:08 matejcik

There is a second variant of this pattern and I've confirmed experimentally that it leads to similar issues:

https://github.com/trezor/trezor-firmware/blob/ef47c262720be8b21671e85d7af68c547ad1955e/python/src/trezorlib/protobuf.py#L377-L379

invd avatar Aug 05 '22 15:08 invd