DoS vector in protocol message stream #912
Comments
|
When you say "very large gob message", does the receiver accept messages with any length? I guess there should be a reasonable upper limit... |
|
see my analysis above re length. The only limit I can find is 1GB, and it does not apply everywhere. |
|
You analysis talks about the gob limits, but what I mean is whether we check the message length before passing it to the gob decoder... I think it does not make sense to try to decode any message (specially if we want protocol upgradeability) |
|
There is no such thing as "messages" before the gob decoder. The gob layer is what gives us our message framing. |
|
Oh, I see, so we are in the hands of gob... |
Nice :) It strikes me that either
|
|
Wire-encodings of messages is limited to 1GB, but by using specific structs you can create a gob stream where: Not yet sure if it is exploitable in weave. |
|
Is that using straight gob or did it involve injecting byte sequences that "look like gob"? It's the latter that I suspect might permit allocating arbitrary large amounts of memory from little input. Not sure though; very much depends on the structure and implementation of the gob codec. |
|
regular gob. Encoding a large recursive tree struct of strings (because zero-value strings are omitted from transmission). |
|
slices have their size checked before decoding, but structs don't. |
|
Related: golang/go#10490 and golang/go#10273 |
To allow users to forgo compatibility with Weave Net 1.0 in order to avoid weaveworks#912, by setting --protocol-min-version=2. Defaults to --protocol-min-version=1, i.e. compatible but vulnerable.
To allow users to forgo compatibility with Weave Net 1.0 in order to avoid weaveworks#912, by setting --protocol-min-version=2. Defaults to --protocol-min-version=1, i.e. compatible but vulnerable.
To allow users to forgo compatibility with Weave Net 1.0 in order to avoid weaveworks#912, by setting --protocol-min-version=2. Defaults to --protocol-min-version=1, i.e. compatible but vulnerable.
To allow users to forgo compatibility with Weave Net 1.0 in order to avoid weaveworks#912, by setting --protocol-min-version=2. Defaults to --protocol-min-version=1, i.e. compatible but vulnerable.
To allow users to forgo compatibility with Weave Net 1.0 in order to avoid weaveworks#912, by setting --protocol-min-version=2. Defaults to --protocol-min-version=1, i.e. compatible but vulnerable.
To allow users to forgo compatibility with Weave Net 1.0 in order to avoid weaveworks#912, by setting --protocol-min-version=2. Defaults to --protocol-min-version=1, i.e. compatible but vulnerable.
To allow users to forgo compatibility with Weave Net 1.0 in order to avoid #912, by setting --protocol-min-version=2. Defaults to --protocol-min-version=1, i.e. compatible but vulnerable.
I haven't tested this, but I reckon there is DoS vector in the protocol message stream that attackers can exploit without breaking our crypto.
The weave TCP protocol is a gob stream of messages: a
map[string][string]for the first message, the handshake, followed by[]bytemessages. The latter are all encrypted when crypto is enabled. Note that it's the individual messages that are encrypted, not the stream. And the first message - the handshake - is always unencrypted.It is therefore possible for an attacker to exploit weaknesses in gob. The following spring to mind:
I am quite sure 1 is possible. There is a 1GB limit in place but a) that's still quite large, and b) doesn't apply everywhere.
2 is different from 1 because it does not require network capacity and is therefore impossible to guard against with firewalls that enforce capacity limits. And I think it is possible, based on my reading of the gob decoder, i.e. there are places where a capacity is read and then an allocation of that capacity is performed.
I don't think 3 is possible, based on the description of gob. But I could well be wrong.
The text was updated successfully, but these errors were encountered: