RUSTSEC-2020-0019

tokio-rustls reads may cause excessive memory usage

Reported

May 19, 2020

Issued

October 1, 2020 (last modified: June 13, 2023)

Package

tokio-rustls (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#tls #ssl #DoS

Aliases

References

https://github.com/tokio-rs/tls/pull/14

CVSS Score

7.5 HIGH

CVSS Details

Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Patched

>=0.12.3, <0.13.0
>=0.13.1

Unaffected

<0.12

Description

tokio-rustls does not call process_new_packets immediately after read, so the expected termination condition wants_read always returns true. As long as new incoming data arrives faster than it is processed and the reader does not return pending, data will be buffered.

This may cause DoS.

Advisory available under CC0-1.0 license.