HistoryEdit

RUSTSEC-2019-0033

Integer Overflow in HeaderMap::reserve() can cause Denial of Service

Issued
Package
http (crates.io)
Type
Vulnerability
Categories
Keywords
#http #integer-overflow #DoS
Aliases
Details
https://github.com/hyperium/http/issues/352
CVSS Score
7.5 HIGH
CVSS Details
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Patched
  • >=0.1.20
Keywords
#http #integer-overflow #DoS
Affected Functions
Version
http::header::HeaderMap::reserve
  • <0.1.20

Description

HeaderMap::reserve() used usize::next_power_of_two() to calculate the increased capacity. However, next_power_of_two() silently overflows to 0 if given a sufficiently large number in release mode.

If the map was not empty when the overflow happens, the library will invoke self.grow(0) and start infinite probing. This allows an attacker who controls the argument to reserve() to cause a potential denial of service (DoS).

The flaw was corrected in 0.1.20 release of http crate.