#35641 [BC-Insight] node p2p remote denial of service

Submitted on Oct 1st 2024 at 21:39:01 UTC by @gln for Audit Comp | Shardeum: Core II

• Report ID: #35641

• Report Type: Blockchain/DLT

• Report severity: Insight

• Target: https://immunefi.com

• Impacts:

  • Causing network processing nodes to process transactions from the transaction queue beyond set parameters

  • Direct loss of funds

Description

Brief/Intro

Shardeum node will read unsigned integer from a network and allocated memory without any bounds checks.

Vulnerability Details

There are a lot of places in lib-net, where uint32 is read from an incoming packet and buffer of requested size is allocated.

Consider this example https://github.com/shardeum/lib-net/blob/dev/shardus_net/src/message.rs#L96

``` pub fn deserialize(cursor: &mut Cursor<Vec<u8>>) -> Option<Message> { let mut header_version_bytes = [0u8; 1]; cursor.read_exact(&mut header_version_bytes).ok()?; let header_version = u8::from_le_bytes(header_version_bytes);

```

1. 'header_len' does not have any upper bounds checks.

2. so 4GB buffer will be allocated

If several such requests will be very close in time, memory allocation will fail and rust panics.

As a result node will crash with out of memory error.

Impact Details

An attacker will be able to trigger out of memory error and crash shardeum node remotely.

Proof of Concept

Proof of Concept

How to reproduce:

1. get test1.js by using provided gist link https://gist.github.com/gln7/ad3815f298bb898d3161bba8cb8999bc

(basically, this is the same as test.js from report #34093, thanks to author!)

1. get and build lib-net:

``` $ git clone https://github.com/shardeum/lib-net --depth 1 $ cd lib-net $ npm run build

```

1. run test server: ``` $ ulimit -Sv 4000000 $ node test1.js ```

2. get t1.py (gist link - https://gist.github.com/gln7/99e0f927db93e70c690c5893007e63e3)

3. run t1.py:

``` ./t1.py localhost 10001 ```

1. nodejs will crash:

``` memory allocation of 4294967295 bytes failed Aborted (core dumped)

```