HistoryEdit

RUSTSEC-2017-0006

Unchecked vector pre-allocation

Issued
Package
rmpv (crates.io)
Type
Vulnerability
Categories
Keywords
#memory #dos #msgpack #serialization #deserialization
Details
https://github.com/3Hren/msgpack-rust/issues/151
Patched
  • >=0.4.2
Keywords
#memory #dos #msgpack #serialization #deserialization

Description

Affected versions of this crate pre-allocate memory on deserializing raw buffers without checking whether there is sufficient data available.

This allows an attacker to do denial-of-service attacks by sending small msgpack messages that allocate gigabytes of memory.