aboutsummaryrefslogtreecommitdiff
path: root/src/cryptonote_protocol
diff options
context:
space:
mode:
authoranonimal <anonimal@getmonero.org>2019-03-09 09:11:44 +0000
committermoneromooo-monero <moneromooo-monero@users.noreply.github.com>2019-06-14 08:47:05 +0000
commit8f66b7053a8e4521fdd68c1d74718e73345fb158 (patch)
treeb669995624bedf1c4377c32d1183dede4545434d /src/cryptonote_protocol
parentepee: basic sanity check on allocation size from untrusted source (diff)
downloadmonero-8f66b7053a8e4521fdd68c1d74718e73345fb158.tar.xz
cryptonote_protocol_handler: prevent potential DoS
Essentially, one can send such a large amount of IDs that core exhausts all free memory. This issue can theoretically be exploited using very large CN blockchains, such as Monero. This is a partial fix. Thanks and credit given to CryptoNote author 'cryptozoidberg' for collaboration and the fix. Also thanks to 'moneromooo'. Referencing HackerOne report #506595.
Diffstat (limited to 'src/cryptonote_protocol')
-rw-r--r--src/cryptonote_protocol/cryptonote_protocol_handler.h1
-rw-r--r--src/cryptonote_protocol/cryptonote_protocol_handler.inl11
2 files changed, 12 insertions, 0 deletions
diff --git a/src/cryptonote_protocol/cryptonote_protocol_handler.h b/src/cryptonote_protocol/cryptonote_protocol_handler.h
index 0927b5d7f..f1fd69960 100644
--- a/src/cryptonote_protocol/cryptonote_protocol_handler.h
+++ b/src/cryptonote_protocol/cryptonote_protocol_handler.h
@@ -52,6 +52,7 @@ PUSH_WARNINGS
DISABLE_VS_WARNINGS(4355)
#define LOCALHOST_INT 2130706433
+#define CURRENCY_PROTOCOL_MAX_BLOCKS_REQUEST_COUNT 500
namespace cryptonote
{
diff --git a/src/cryptonote_protocol/cryptonote_protocol_handler.inl b/src/cryptonote_protocol/cryptonote_protocol_handler.inl
index 8958af7c7..0eacc7cd4 100644
--- a/src/cryptonote_protocol/cryptonote_protocol_handler.inl
+++ b/src/cryptonote_protocol/cryptonote_protocol_handler.inl
@@ -914,6 +914,17 @@ namespace cryptonote
int t_cryptonote_protocol_handler<t_core>::handle_request_get_objects(int command, NOTIFY_REQUEST_GET_OBJECTS::request& arg, cryptonote_connection_context& context)
{
MLOG_P2P_MESSAGE("Received NOTIFY_REQUEST_GET_OBJECTS (" << arg.blocks.size() << " blocks, " << arg.txs.size() << " txes)");
+
+ if (arg.blocks.size() > CURRENCY_PROTOCOL_MAX_BLOCKS_REQUEST_COUNT)
+ {
+ LOG_ERROR_CCONTEXT(
+ "Requested objects count is too big ("
+ << arg.blocks.size() << ") expected not more then "
+ << CURRENCY_PROTOCOL_MAX_BLOCKS_REQUEST_COUNT);
+ drop_connection(context, false, false);
+ return 1;
+ }
+
NOTIFY_RESPONSE_GET_OBJECTS::request rsp;
if(!m_core.handle_get_objects(arg, rsp, context))
{