fix: Infinite loop in rustls::conn::ConnectionCommon::complete_io() with proper client input #609
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The project
logdna/logdna-agent-v2
usedrustls::ConnectionCommon::complete_io
could fall into an infinite loop based on network input. Verified at0.22
and0.23 rustls
, but0.21
and0.20
release lines are also affected.tokio-rustls
andrustls-ffi
do not call complete_io and are not affected.rustls::Stream
andrustls::StreamOwned
types use complete_io and are affected.When using a blocking rustls server, if a client send a
close_notify
message immediately afterclient_hello
, the server'scomplete_io
will get in an infinite loop where:eof
: falseuntil_handshaked
: trueself.is_handshaking()
: trueself.wants_write()
: falseself.wants_read()
: falseYou could observe the server process get into 100% cpu usage, and if you add logging at beginning of
rustls::conn::ConnectionCommon::complete_io
, you could see the function is spinning. A multithread non-async server that usesrustls
could be attacked by getting few requests like above (each request could cause one thread to spin) and stop handling normal requests.CWE-835
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H