candid icon indicating copy to clipboard operation
candid copied to clipboard
verified publisher icon dfinity

[Security] Candid deserialization vulnerabilities

Open crusso opened this issue 4 years ago • 1 comments

Tracking JIRA issue(s):

https://dfinity.atlassian.net/browse/FOLLOW-303

  • [x] uint overflow
  • [ ] recursion limit
  • [x] binread allocation
  • [ ] space bomb (vec null)
  • [ ] skip vec null faster
  • [ ] branching on uninitialized value?

crusso avatar Oct 26 '21 13:10 crusso

Yeah, nothing surprising here. The remaining ones are:

  • Reading deeply nested value can cause stack overflow
  • A binary parser we use (binread) doesn't do defensive read, so it can allocate large memory
  • Space bomb for vec null. Maybe setting a size limit just for vec null/reserved?

chenyan-dfinity avatar Oct 26 '21 19:10 chenyan-dfinity