Impact
Users with listening TCP PUB/XPUB endpoints who do NOT use CURVE/ZAP for authentication
Patches
#3959
Workarounds
None
References
Found thanks to Google's oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22488
For more information
The PUB/XPUB subscription store (mtrie) is traversed using recursive function calls. In the remove (unsubscription) case, the recursive calls are NOT tail calls, so even with optimizations the stack grows linearly with the length of a subscription topic.
Topics are under the control of remote clients - they can send a subscription to arbitrary length topics. An attacker can thus cause a server to create an mtrie sufficiently large such that, when unsubscribing, traversal will cause a stack overflow.
Stack overflows are obviously more dangerous than normal OOM situations, and if built right can lead to other exploits.
Impact
Users with listening TCP PUB/XPUB endpoints who do NOT use CURVE/ZAP for authentication
Patches
#3959
Workarounds
None
References
Found thanks to Google's oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22488
For more information
The PUB/XPUB subscription store (mtrie) is traversed using recursive function calls. In the remove (unsubscription) case, the recursive calls are NOT tail calls, so even with optimizations the stack grows linearly with the length of a subscription topic.
Topics are under the control of remote clients - they can send a subscription to arbitrary length topics. An attacker can thus cause a server to create an mtrie sufficiently large such that, when unsubscribing, traversal will cause a stack overflow.
Stack overflows are obviously more dangerous than normal OOM situations, and if built right can lead to other exploits.