Описание
Go-Ethereum vulnerable to denial of service via malicious p2p message
Impact
A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node.
Details
The p2p handler spawned a new goroutine to respond to ping requests. By flooding a node with ping requests, an unbounded number of goroutines can be created, leading to resource exhaustion and potentially crash due to OOM.
Patches
The fix is included in geth version 1.12.1-stable, i.e, 1.12.2-unstable and onwards.
Fixed by https://github.com/ethereum/go-ethereum/pull/27887
Workarounds
No known workarounds.
Credits
This bug was reported by Patrick McHardy and reported via bounty@ethereum.org.
References
Пакеты
github.com/ethereum/go-ethereum
< 1.12.1-stable
1.12.1-stable
Связанные уязвимости
go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. There are no known workarounds for this vulnerability.
go-ethereum (geth) is a golang execution layer implementation of the E ...