New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
parseVersion1() is not secure #69
Comments
Alternative fix: use |
You don't get to set delims with |
Other thought: with the |
IIRC we setup a buffered reader with implicit size of 4096 which means if the delimiter is not present, an EOF error will be thrown. |
https://golang.org/src/bufio/bufio.go?s=13166:13221#L482 I also tried it directly with a test program, just in case I misread the code. Both methods will return slices that are bigger than the internal buffer size. |
This might save you some time: https://pastebin.com/M130q0Bb. Simple server doing a single Output is:
|
Very interesting. Will have to spend some time on this which I don't have right now, I'm sorry. |
CVE-2021-23351 was assigned to this issue. |
Thanks to the Snyk folks for this https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPIRESGOPROXYPROTO-1081577 |
The
reader
is a defaultbufio.Reader
wrapping anet.Conn
. It will read from the connection until it finds a newline. Since no limits are implemented in the code, a deliberately malformed V1 header could be used to exhaust memory in a server process using this code - a form of DDoS. The exploit is simple: send a stream starting with "PROXY" and keep sending data (which does not contain a newline) until the target stops acknowledging.In most real world circumstances, the actual risk is small since only trusted sources should be allowed to send proxy protocol headers. However, this is still a security issue and should be resolved.
Easiest fix:
reader.Peek(107)
and scan for a newline. If none is found, then it is not a valid version 1 header anyway, so you can fail fast (the maximum v1 header size is 107 bytes). Otherwise, proceed with thereader.ReadString('\n')
in full confidence.The text was updated successfully, but these errors were encountered: