[High] Insufficient TLV Bounds Checking (Potential Panic/DoS) #20
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Issue
Malformed TLV (Type-Length-Value) packets with oversized payloads are not properly validated before deserialization, creating a potential denial-of-service vector.
Location
mycelium/src/babel/tlv.rsProblem Description
The TLV parser reads the length field without verifying it against the remaining buffer size. An attacker sending a crafted Babel packet with
length > actual_buffer_sizecould cause:Code Pattern (Suspected)
Impact
Remediation
if pos + length > buf.len() { return Err(...) }get()instead of direct indexing)Testing