rustls::ConnectionCommon::complete_io could fall into an infinite loop based on network input.
Details
Verified at 0.22 and 0.23rustls, but 0.21 and 0.20 release lines are also affected. tokio-rustls and rustls-ffi do not call complete_io and are not affected. rustls::Stream and rustls::StreamOwned types use complete_io and are affected.
When using a blocking rustls server, if a client send a close_notify message immediately after client_hello, the server's complete_io will get in an infinite loop where:
eof: false
until_handshaked: true
self.is_handshaking(): true
self.wants_write(): false
self.wants_read(): false
PoC
Run simple server: cargo run --bin simpleserver test-ca/rsa/end.fullchain test-ca/rsa/end.key
You could observe the server process get into 100% cpu usage, and if you add logging at beginning of rustls::conn::ConnectionCommon::complete_io, you could see the function is spinning.
Also note that the server thread is stuck in this infinite loop even if the client closes the socket.
Impact
This is a DOS.
A multithread non-async server that uses rustls could be attacked by getting few requests like above (each request could cause one thread to spin) and stop handling normal requests.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
0.22.2
->0.22.4
GitHub Vulnerability Alerts
CVE-2024-32650
Summary
rustls::ConnectionCommon::complete_io
could fall into an infinite loop based on network input.Details
Verified at
0.22
and0.23
rustls
, but0.21
and0.20
release lines are also affected.tokio-rustls
andrustls-ffi
do not callcomplete_io
and are not affected.rustls::Stream
andrustls::StreamOwned
types usecomplete_io
and are affected.When using a blocking rustls server, if a client send a
close_notify
message immediately afterclient_hello
, the server'scomplete_io
will get in an infinite loop where:eof
: falseuntil_handshaked
: trueself.is_handshaking()
: trueself.wants_write()
: falseself.wants_read()
: falsePoC
cargo run --bin simpleserver test-ca/rsa/end.fullchain test-ca/rsa/end.key
Run following python script
rustls::conn::ConnectionCommon::complete_io
, you could see the function is spinning.Also note that the server thread is stuck in this infinite loop even if the client closes the socket.
Impact
This is a DOS.
A multithread non-async server that uses
rustls
could be attacked by getting few requests like above (each request could cause one thread to spin) and stop handling normal requests.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.