async-bincode
async-bincode copied to clipboard
No way to limit memory usage
bincode
allows limiting the memory usage of deserialized objects, and async-bincode
should probably provide a facility for this as well. Without it, attackers are able to consume up to 8GB of RAM (2* 2^32 bytes, once for the buffer, the other for the deserialized message).
In addition, on 32bit platforms, the calculation of the needed buffer size is prone to an overflow. As far as I can see, this is not actually problematic as it just causes the deserialization to fail. The memory exhaustion attack due to being unable to limit memory consumed for buffers is probably the worse vector on these platforms.