Memory is not secure and may be vulnerable to attacks #376
Description
Memory is not secure and may be vulnerable to attacks.
see the code:
file : decode_slice.go
func (d *Decoder) decodeSlice(c byte) ([]interface{}, error) {
n, err := d.arrayLen(c)
if err != nil {
return nil, err
}
if n == -1 {
return nil, nil
}
s := make([]interface{}, 0, n) // dangerous code
for i := 0; i < n; i++ {
v, err := d.decodeInterfaceCond()
if err != nil {
return nil, err
}
s = append(s, v)
}
return s, nil
}If someone modifies the length of the array to 1m, they will request at least 1M of memory. If it is a N dimensional array, N*1M of memory will be required, which can easily lead to memory request attacks
I think safe code should be like this:
var sliceAllocLen = 64 // configurable or suggested length
func (d *Decoder) decodeSlice(c byte) ([]interface{}, error) {
n, err := d.arrayLen(c)
if err != nil {
return nil, err
}
if n == -1 {
return nil, nil
}
if n > sliceAllocLen {
n = sliceAllocLen
}
s := make([]interface{}, 0, n) // dangerous code
for i := 0; i < n; i++ {
v, err := d.decodeInterfaceCond()
if err != nil {
return nil, err
}
s = append(s, v)
}
return s, nil
}I don't think we should trust the length of arrays in data stream,
it is necessary to limit the length of the array and also limit its recursive depth.
If we can determine the remaining length of the input stream, it can be easily determined to make it more efficient. For example, if there are 1024 bytes left, the length of the array will not exceed 1024
I used translation software, please forgive any unclear descriptions