Project Information
- Repository: https://github.com/steemit/steem
- Project Name: Steem
Expected behavior
The Steemd process should handle malformed messages arriving from a peer by logging and error and/or terminating the connection.
Actual behavior
A carefully crafted hello_message sent can cause steemd to attempt allocating all available memory, causing it to crash.
How to reproduce
A fuller writeup of how the bug was found can be read at @fuzz-ai/a-memory-exhaustion-attack-against-the-steem-blockchain
To exploit the bug, a malicious witness connects to a steemd instance over the network (using the peer-to-peer protocol) and participates in the encryption handshake. When sending the normal hello_message, it populates the variant_object field with an ill-formed variant object. On the wire, this is a repeating sequence of the four bytes
06 -- array
80 c0 02 -- of length 655360
The unparse function allocates this length of vector (the maximum allowed) and then recursively populates the first entry with another maximum-length vector. Then the first element of that entry is also a preallocated-vector, etc., for as many levels of depth as permitted by the maximum message size (and the stack size of the thread.) This results in memory usage far exceeding the 2MB maximum message size, up to about 1.3 terabytes, which will likely cause out-of-memory conditions on all but the very largest servers.
This bug was reported to [email protected] and was patched in release 0.20.7.