geomind_code/mycelium_network
24
1
Fork 0
Code Issues 8 Pull requests 3 Projects Releases Packages Wiki Activity Actions

[High][Security/DoS] Message receiver allows unbounded allocation and retention from untrusted input #30

New issue
Open
opened 2026-03-19 22:43:21 +00:00 by thabeta · 0 comments
thabeta commented 2026-03-19 22:43:21 +00:00
Owner
Copy link

Summary

The message subsystem currently lets remote peers drive memory growth in several ways:

  • INIT can force allocation based on an untrusted declared message length.
  • Pending inbound messages do not appear to have expiry/cleanup if transmission never completes.
  • Completed inbound messages are queued in an unbounded VecDeque.

Why this matters

This creates a practical denial-of-service surface on any node that accepts messages.

An attacker does not need to complete valid messages to cause damage. They can repeatedly send large INIT metadata, incomplete streams, or just generate completed messages faster than the application drains them.

Evidence

Untrusted allocation based on declared message length:

  • mycelium/src/message.rs:420-421

Pending inbound state is inserted here:

  • mycelium/src/message.rs:432

Pending state is only removed on DONE / ABORT handling here:

  • mycelium/src/message.rs:654
  • mycelium/src/message.rs:675

Completed messages are retained in an unbounded queue defined here:

  • mycelium/src/message.rs:127-135

Completed messages are appended in multiple paths, for example:

  • mycelium/src/message.rs:631-633
  • mycelium/src/message.rs:649-651

Expected behavior

The subsystem should enforce bounded memory usage for hostile or slow-consumer scenarios.

Actual behavior

The implementation has no obvious hard cap or expiry for inbound message state.

Suggested fix

  • Put an upper bound on accepted message length.
  • Add expiry for pending inbound messages that never reach DONE.
  • Bound complete_msges and choose a policy for overflow.
  • Consider per-peer/per-topic quotas.
  • Add adversarial tests for incomplete transmissions and large declared lengths.

Risk

High. This is a classic remote memory pressure / DoS vector in a network-facing subsystem.

## Summary The message subsystem currently lets remote peers drive memory growth in several ways: - `INIT` can force allocation based on an untrusted declared message length. - Pending inbound messages do not appear to have expiry/cleanup if transmission never completes. - Completed inbound messages are queued in an unbounded `VecDeque`. ## Why this matters This creates a practical denial-of-service surface on any node that accepts messages. An attacker does not need to complete valid messages to cause damage. They can repeatedly send large `INIT` metadata, incomplete streams, or just generate completed messages faster than the application drains them. ## Evidence Untrusted allocation based on declared message length: - `mycelium/src/message.rs:420-421` Pending inbound state is inserted here: - `mycelium/src/message.rs:432` Pending state is only removed on `DONE` / `ABORT` handling here: - `mycelium/src/message.rs:654` - `mycelium/src/message.rs:675` Completed messages are retained in an unbounded queue defined here: - `mycelium/src/message.rs:127-135` Completed messages are appended in multiple paths, for example: - `mycelium/src/message.rs:631-633` - `mycelium/src/message.rs:649-651` ## Expected behavior The subsystem should enforce bounded memory usage for hostile or slow-consumer scenarios. ## Actual behavior The implementation has no obvious hard cap or expiry for inbound message state. ## Suggested fix - Put an upper bound on accepted message length. - Add expiry for pending inbound messages that never reach DONE. - Bound `complete_msges` and choose a policy for overflow. - Consider per-peer/per-topic quotas. - Add adversarial tests for incomplete transmissions and large declared lengths. ## Risk High. This is a classic remote memory pressure / DoS vector in a network-facing subsystem.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
aidl_experimentation
master_peers
peter-patch-1
master_fix_dns_forward
development
async_route_lookup
main-integration
v0.7.5
v0.7.4
v0.7.3
v0.7.2
v0.7.1
v0.7.0
v0.6.2
v0.6.1
v0.6.0
v0.5.7
v0.5.6
v0.5.5
v0.5.4
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.5
v0.4.4
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.2
v0.3.1
v0.3.0
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.2
v0.0.1
Labels
Clear labels   
Urgent
No labels
Urgent
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
geomind_code/mycelium_network#30
No description provided.