Disclosure of memory DoS using huge INV messages



A node could be forced to allocate a significant amount of memory upon receiving a specially crafted
INV message. This was particularly an issue for nodes with little available memory or a large
number of connections.

This issue is considered Medium severity.

Details

An INV message filled with 50,000 block items could cause 50,000 getheaders responses to be sent
in a single ProcessMessages() call. Each response contains a locator and is around 1 kB. All would
be put into the send buffer at once. The attacker could just refuse to receive data to prevent the
50 MB buffer from draining.

John Newbery opened PR #18962 to fix this issue
pretexting a bandwidth gain from sending a single GETHEADERS per received INV.

Attribution

Credits to John Newbery for finding this bug, responsibly disclosing it and fixing it.

Timeline

2020-05-08 John Newbery reports his finding by email
2020-05-12 John Newbery opens #18962
2020-05-14 #18962 is merged
2020-06-03 Bitcoin Core version 0.20.0 is released with a fix
2021-09-13 The last vulnerable Bitcoin Core version (0.19.x) goes EOL
2024-07-03 Public disclosure.



Source link