Skip to content

fix: cap TCP recv buffer size to prevent unbounded allocation (#1009) #1022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aki1770-del wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: cap TCP recv buffer size to prevent unbounded allocation (#1009) #1022

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion implementation/configuration/src/configuration_impl.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3453,7 +3453,7 @@ std::uint32_t configuration_impl::get_max_message_size_reliable(const std::strin
return its_port->second;
}
}
return (max_reliable_message_size_ == 0) ? ((VSOMEIP_MAX_TCP_MESSAGE_SIZE == 0) ? MESSAGE_SIZE_UNLIMITED : VSOMEIP_MAX_TCP_MESSAGE_SIZE)
return (max_reliable_message_size_ == 0) ? ((VSOMEIP_MAX_TCP_MESSAGE_SIZE == 0) ? VSOMEIP_MAX_TCP_MESSAGE_SIZE_DEFAULT : VSOMEIP_MAX_TCP_MESSAGE_SIZE)
: max_reliable_message_size_;
}

Expand Down
2 changes: 1 addition & 1 deletion implementation/endpoints/src/tcp_server_endpoint_impl.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -677,7 +677,7 @@ void tcp_server_endpoint_impl::connection::receive_cbk(boost::system::error_code
its_lock.unlock();
wait_until_sent(boost::asio::error::operation_aborted);
return;
} else if (max_message_size_ != MESSAGE_SIZE_UNLIMITED && current_message_size > max_message_size_) {
} else if (current_message_size > max_message_size_) {
recv_buffer_size_ = 0;
recv_buffer_.resize(recv_buffer_size_initial_, 0x0);
recv_buffer_.shrink_to_fit();
Expand Down
6 changes: 6 additions & 0 deletions interface/vsomeip/defines.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ constexpr std::uint8_t VSOMEIP_PROTOCOL_VERSION = 0x1;
constexpr std::size_t VSOMEIP_MAX_LOCAL_MESSAGE_SIZE = 0;
// 0 = unlimited, if not specified otherwise via configuration file
constexpr std::size_t VSOMEIP_MAX_TCP_MESSAGE_SIZE = 0;
// Safe default cap for TCP receive buffer when neither VSOMEIP_MAX_TCP_MESSAGE_SIZE
// nor the runtime "max-message-size-reliable" JSON option is set. Prevents unbounded
// heap growth from an attacker-supplied SOME/IP Length field (CWE-789, issue #1009).
// Operators who genuinely need larger messages should set max-message-size-reliable
// in their vsomeip configuration file.
constexpr std::uint32_t VSOMEIP_MAX_TCP_MESSAGE_SIZE_DEFAULT = 1048576U; // 1 MiB
constexpr std::size_t VSOMEIP_MAX_UDP_MESSAGE_SIZE = 1416;

constexpr std::size_t VSOMEIP_PACKET_SIZE = VSOMEIP_MAX_UDP_MESSAGE_SIZE;
Expand Down