cbor-java icon indicating copy to clipboard operation
cbor-java copied to clipboard
verified publisher icon c-rack

The CBOR library is sensitive to a DOS attack

Open vivekidem opened this issue 4 years ago • 2 comments

Hi Team,

According a specially crafted message, the library will try to allocate a message that is way above the memory capacity.

For a CBOR array input. The code was trying to decode the CBOR array before trying to use the byte[]. The library that has no limit on the allocation memory that is requires -> an attacker could get craft a packet that will ask the library to allocate an object that will exceed the available memory.

vivekidem avatar Sep 07 '21 15:09 vivekidem

@vivekidem Would you like to make a PR that fixes this?

c-rack avatar May 25 '22 22:05 c-rack

@c-rack , from client side it can be mitigated by setting a definite value in setMaxPreallocationSize :

try { val decoder = CborDecoder(ByteArrayInputStream(this)) decoder.setMaxPreallocationSize(1024) return decoder.decode() } catch (e: CborException) { throw UnexpectedEndOfStream(message = "Invalid CBOR Encoded data ") }

However if client side above config is not set, then there should be some default value from library side.

vinaymjoshi avatar Feb 28 '23 09:02 vinaymjoshi