The project NordSecurity/nordvpn-linux used rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input. Verified at 0.22 and 0.23 rustls, but 0.21 and 0.20 release lines are also affected. tokio-rustls and rustls-ffi do not call complete_io and are not affected. rustls::Stream and rustls::StreamOwned types use complete_io and are affected.
When using a blocking rustls server, if a client send a close_notify message immediately after client_hello, the server's complete_io will get in an infinite loop where:
You could observe the server process get into 100% cpu usage, and if you add logging at beginning of rustls::conn::ConnectionCommon::complete_io, you could see the function is spinning. A multithread non-async server that uses rustls could be attacked by getting few requests like above (each request could cause one thread to spin) and stop handling normal requests.
Summary
The project
NordSecurity/nordvpn-linux
usedrustls::ConnectionCommon::complete_io
could fall into an infinite loop based on network input. Verified at0.22
and0.23 rustls
, but0.21
and0.20
release lines are also affected.tokio-rustls
andrustls-ffi
do not call complete_io and are not affected.rustls::Stream
andrustls::StreamOwned
types use complete_io and are affected.When using a blocking rustls server, if a client send a
close_notify
message immediately afterclient_hello
, the server'scomplete_io
will get in an infinite loop where:eof
: falseuntil_handshaked
: trueself.is_handshaking()
: trueself.wants_write()
: falseself.wants_read()
: falseYou could observe the server process get into 100% cpu usage, and if you add logging at beginning of
rustls::conn::ConnectionCommon::complete_io
, you could see the function is spinning. A multithread non-async server that usesrustls
could be attacked by getting few requests like above (each request could cause one thread to spin) and stop handling normal requests.CWE-835
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H