geomind_code/mycelium_network
23
0
Fork 0
Code Issues 12 Pull requests 1 Projects Releases Packages Wiki Activity Actions

[High] Insufficient TLV Bounds Checking (Potential Panic/DoS) #20

New issue
Open
opened 2026-02-11 19:31:44 +00:00 by thabeta · 0 comments
thabeta commented 2026-02-11 19:31:44 +00:00
Owner
Copy link

Issue

Malformed TLV (Type-Length-Value) packets with oversized payloads are not properly validated before deserialization, creating a potential denial-of-service vector.

Location

mycelium/src/babel/tlv.rs

Problem Description

The TLV parser reads the length field without verifying it against the remaining buffer size. An attacker sending a crafted Babel packet with length > actual_buffer_size could cause:

  • Buffer over-read (potential memory disclosure)
  • Panic if bounds checking is enforced elsewhere
  • Denial of service by forcing repeated malformed packets

Code Pattern (Suspected)

let length = read_u16(buf)?;
let tlv_data = &buf[pos..pos + length as usize];

Impact

  • Severity: HIGH (DoS + potential memory safety)
  • CVSS: ~7.5 (Network DoS)
  • Frequency: Can be triggered remotely by any peer

Remediation

  1. Add explicit bounds check: if pos + length > buf.len() { return Err(...) }
  2. Use safe indexing methods (e.g., get() instead of direct indexing)
  3. Add fuzzing to the TLV parser
  4. Document maximum allowed TLV payload sizes

Testing

  • Fuzz with libFuzzer or AFL on malformed Babel packets
  • Send TLV packets with length=u16::MAX
  • Verify no panics or crashes occur
## Issue Malformed TLV (Type-Length-Value) packets with oversized payloads are not properly validated before deserialization, creating a potential denial-of-service vector. ## Location `mycelium/src/babel/tlv.rs` ## Problem Description The TLV parser reads the length field without verifying it against the remaining buffer size. An attacker sending a crafted Babel packet with `length > actual_buffer_size` could cause: - Buffer over-read (potential memory disclosure) - Panic if bounds checking is enforced elsewhere - Denial of service by forcing repeated malformed packets ## Code Pattern (Suspected) ```rust let length = read_u16(buf)?; let tlv_data = &buf[pos..pos + length as usize]; ``` ## Impact - **Severity**: HIGH (DoS + potential memory safety) - **CVSS**: ~7.5 (Network DoS) - **Frequency**: Can be triggered remotely by any peer ## Remediation 1. Add explicit bounds check: `if pos + length > buf.len() { return Err(...) }` 2. Use safe indexing methods (e.g., `get()` instead of direct indexing) 3. Add fuzzing to the TLV parser 4. Document maximum allowed TLV payload sizes ## Testing - Fuzz with libFuzzer or AFL on malformed Babel packets - Send TLV packets with length=u16::MAX - Verify no panics or crashes occur
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
master_fix_dns_forward
development
async_route_lookup
main-integration
v0.7.3
v0.7.2
v0.7.1
v0.7.0
v0.6.2
v0.6.1
v0.6.0
v0.5.7
v0.5.6
v0.5.5
v0.5.4
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.5
v0.4.4
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.2
v0.3.1
v0.3.0
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.2
v0.0.1
Labels
Clear labels   
Urgent
No labels
Urgent
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
geomind_code/mycelium_network#20
No description provided.