[GODRIVER-2869] Protocol validations to reduce client denial of service risks Created: 12/Jun/23  Updated: 28/Oct/23  Resolved: 28/Jun/23

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.12.1

Type: Improvement Priority: Unknown
Reporter: Qingyang Hu Assignee: Qingyang Hu
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Documentation Changes: Not Needed
Documentation Changes Summary:

1. What would you like to communicate to the user about this feature?
2. Would you like the user to see examples of the syntax and/or executable code and its output?
3. Which versions of the driver/connector does this apply to?


 Description   

Tracking PR #1291 to fix two possible conditions which could result in a potential denial of service of a client connected to a malicious MongoDB server.

  1. readLengthBytes requires 4 bytes for the length to be included. Previously when reading a document from the wire this could result in a tight loop where an empty struct is appended to a slice repeatedly until the service runs out of memory (both CPU and memory consumption).
  2. Fix a large memory allocation condition with Snappy decompression if a large size is encoded in the Snappy compressed / encoded portion of the bytes.


 Comments   
Comment by Githook User [ 01/Aug/23 ]

Author:

{'name': 'Qingyang Hu', 'email': '103950869+qingyang-hu@users.noreply.github.com', 'username': 'qingyang-hu'}

Message: GODRIVER-2869 Test touchup (#1307)
Branch: release/1.12
https://github.com/mongodb/mongo-go-driver/commit/9318bc286d4ae3c2618fb3b17cac16ce548bc836

Comment by Githook User [ 01/Aug/23 ]

Author:

{'name': 'Mike Jensen', 'email': 'jentfoo@users.noreply.github.com', 'username': 'jentfoo'}

Message: GODRIVER-2869 Two protocol validations to reduce client denial of service risks (#1291)

Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Co-authored-by: Qingyang Hu <103950869+qingyang-hu@users.noreply.github.com>
Branch: release/1.12
https://github.com/mongodb/mongo-go-driver/commit/436a9821764514d48feb3362d67133e82df05963

Comment by Githook User [ 28/Jun/23 ]

Author:

{'name': 'Qingyang Hu', 'email': '103950869+qingyang-hu@users.noreply.github.com', 'username': 'qingyang-hu'}

Message: GODRIVER-2869 Test touchup (#1307)
Branch: master
https://github.com/mongodb/mongo-go-driver/commit/8489898c64a2d8c2e2160006eb851a11a9db9e9d

Comment by Githook User [ 22/Jun/23 ]

Author:

{'name': 'Mike Jensen', 'email': 'jentfoo@users.noreply.github.com', 'username': 'jentfoo'}

Message: GODRIVER-2869 Two protocol validations to reduce client denial of service risks (#1291)

Co-authored-by: Alan Parra <alan.parra@goteleport.com>
Co-authored-by: Qingyang Hu <103950869+qingyang-hu@users.noreply.github.com>
Branch: master
https://github.com/mongodb/mongo-go-driver/commit/a888dc6678b7a91301018a6e1bf04bdd3d22a63b

Generated at Thu Feb 08 08:39:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.