|
| 1 | +--- |
| 2 | +title: Disclosure of memory DoS due to malicious P2P message from many peers (≤ version 0.10.0) |
| 3 | +name: blog-disclose-receive-buffer-oom |
| 4 | +id: en-blog-disclose-receive-buffer-oom |
| 5 | +lang: en |
| 6 | +type: advisory |
| 7 | +layout: post |
| 8 | + |
| 9 | +## If this is a new post, reset this counter to 1. |
| 10 | +version: 1 |
| 11 | + |
| 12 | +## Only true if release announcement or security annoucement. English posts only |
| 13 | +announcement: 1 |
| 14 | + |
| 15 | +excerpt: > |
| 16 | + A node could be forced to allocate large buffers when receiving a message, which could be leveraged to remotely crash it by OOM. |
| 17 | +--- |
| 18 | + |
| 19 | +A node could be forced to allocate large buffers when receiving a message, which could be leveraged to remotely crash it by OOM. |
| 20 | + |
| 21 | +This issue is considered **Medium** severity. |
| 22 | + |
| 23 | +## Details |
| 24 | + |
| 25 | +Without a tighter bound, received messages' size was limited by the maximum serialized message size |
| 26 | +of 32 MiB. An attacker could force a node to allocate this much RAM per connection, which may lead |
| 27 | +to an OOM. |
| 28 | + |
| 29 | +[PR #5843](https://github.com/bitcoin/bitcoin/pull/5843) reduced the size P2P messages can have |
| 30 | +before receiving the payload. This reduces the per-peer receive buffer memory size a malicious peer |
| 31 | +can cause. The PR reduced the number from 32 MiB to 2 MiB, which was later increased back to 4 MB as |
| 32 | +part of the Segwit BIP144 changes. |
| 33 | + |
| 34 | +## Attribution |
| 35 | + |
| 36 | +Reported to Greg Maxwell by bitcointalk user Evil-Knievel. Fixed by Pieter Wuille. |
| 37 | + |
| 38 | +## Timeline |
| 39 | + |
| 40 | +- 2015-02-05 Evil-Knievel reports the vulnerability to Greg Maxwell through bitcointalk private messages. |
| 41 | +- 2015-??-?? `CVE-2015-3641` is registered for it. |
| 42 | +- 2015-03-01 [PR #5843](https://github.com/bitcoin/bitcoin/pull/5843) is opened to fix it. |
| 43 | +- 2015-03-06 PR #5843 is merged. |
| 44 | +- 2015-03-09 The fix is backported to version 0.10.1. |
| 45 | +- 2015-04-27 Bitcoin Core version [0.10.1 is released](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-April/007828.html) with a fix. |
| 46 | +- 2015-06-25 A disclosure is [pre-announced](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-June/009135.html). |
| 47 | +- 2015-07-07 Disclosure is [postponed](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-July/009362.html). |
| 48 | +- 2016-08-23 The last vulnerable Bitcoin Core Version (0.10.x) goes EOL |
| 49 | +- 2024-07-03 Public disclosure. |
| 50 | + |
| 51 | +{% include references.md %} |
0 commit comments