-
-
Notifications
You must be signed in to change notification settings - Fork 790
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stack overflow when parsing lots of open square brackets #82
Comments
Parsing json and xml (I'm guessing YAML, too) without recursion requires keeping the stack manually in some heap structure. Since I've seen some FIXME's in the json code about removing heap allocations, I'm assuming that this is not the desired way to do things in serde. |
wheee, can you turn this into a (cargo-cfg enabled) integration test? |
Interesting idea. Would be pretty cool to get that working, but I'm probably not going to spend any time on it |
As a general comment: When safety is concerned, and there is no control over the input of the program (or the input-source is untrusted), any algorithm using recursion can be considered unsafe unless it restricts its recursion depth explicitly to prevent overflows from the get-go. Even then it might fail in case the stack is smaller than expected. This ticket should, at the very least, result in some red, bold text stating that untrusted input should be deserialized in a separate thread to prevent the main thread (and the process with it) from crashing in case manufactured input is encountered. Before I started using Rust as primary language, I wasn't even aware of this, and outside of the Rust infrastructure, I wouldn't even care too much. However, since Rust ought to be save, anything that can crash a program should be something we at least make explicit. Thinking about it: if we would implement a non-recursive algorithm which keeps data on the heap, the problem would just be offset, as the input needed to cause an out-of-memory situation would just have to be larger. The latter could be even worse on a server as it could affect other services. Maybe a good way to deal with this is to provide an option during deserialization to specify the maximum allowed recursion depth. This comes with the benefit of being easy to implement as well. |
I like it. The API should not break though, but it could offer new options for setting this depth, and set it to something reasonable by default.
I thought OOM is safe according to Rust's safety-rules? Crashing might not be desired behavior, but it is safe behavior. |
I agree, let's stick to the terminology Rust setup already, which would make such a crash 'safe' indeed. Personally I'd like to extend that concept and try to write code that is also safe from 'manufactured input' attacks that can crash your program and thus make a service unavailable. Standard DOS attacks which bring a service down by brute force are still possible of course, but at least some effort has to be made to do it then (e.g. there is a difference between 1 node feeding 10 servers malicious input, and 1000 nodes trying to saturate the capacity of said servers). |
|
This has been fixed in serde_json 0.8.4:
but most other formats are still vulnerable. |
This no longer affects serde_json. Let's follow up in the issue trackers of individual formats as needed. |
Code
Input
Crash
This bug was found using https://github.com/kmcallister/afl.rs 👍
The text was updated successfully, but these errors were encountered: