Ravencoin icon indicating copy to clipboard operation
Ravencoin copied to clipboard

Published 20 hours ago verified publisher icon RavenProject

Potential DDoS Attack

Open CharesFang opened this issue 3 years ago • 1 comments

Potential DDoS Attack

Recently, when we reviewed on the vulnerability, CVE-2018-17145, we found that it might also still affect Ravencoin Core to incur a DDoS attack.

For details, see the function call GetMainSignals().Inventory(inv.hash) in src/net_processing.cpp (Line 1145-1146 and Line 1597-1598), the unlimited call of this function would grow the size of variable m_callbacks_pending and ran out of memory which may lead to a crash.

The variable m_callbacks_pending in src/scheduler.h (Line 99) is used in src/scheduler.cpp (scheduler.cpp).

A possible solution is to delete the function call GetMainSignals().Inventory(inv.hash) in src/net_processing.cpp to avoid memory exhaustion.

For more attack and fixing details, you can refer to the following pages.

  • The original CVE-2018-1714 report.
  • The attack details.
  • Similar fixing commit from Bitcoin: https://github.com/bitcoin/bitcoin/commit/beef7ec4be725beea870a2da510d2817487601ec.

Reported by de957ad9679f28a38f02f00cc7928bce8fb424882ff060a3c09c32895b1474cc.

CharesFang avatar Nov 04 '21 07:11 CharesFang

Suggested fix PR #1115

fdoving avatar Nov 04 '21 08:11 fdoving