You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a remotely exploitable vulnerability in our QPACK decoder that lets a remote attacker crash the implementation by making it allocate arbitrarily large amounts of memory.
LiteralReader::read() at line 304 in neqo-qpack/src/reader.rs reads a varint length and calls resize() with that length
There's no upper bound check on the length, allowing malicious input to specify an absurdly large value
When Vec::resize() tries to allocate, it panics with "capacity overflow"
Impact
There is a remotely exploitable vulnerability in our QPACK decoder that lets a remote attacker crash the implementation by making it allocate arbitrarily large amounts of memory.
LiteralReader::read()at line 304 inneqo-qpack/src/reader.rsreads a varint length and callsresize()with that lengthVec::resize()tries to allocate, it panics with "capacity overflow"Patches
Patch in the secure fork below.
Workarounds
None
References
https://bugzilla.mozilla.org/show_bug.cgi?id=2003616
https://oss-fuzz.com/testcase-detail/4695808126812160
https://issues.oss-fuzz.com/issues/464682065