BUGFIX: memory was allocated based on encoded length instead of the length of the io.Reader, causing potential DOS due to unexpected high memory usage (max MaxPacketLengthBytes)

Signed-off-by: Tim Ramlot <[email protected]>

Author: inteon

ber.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"math"
 	"os"
 	"reflect"
@@ -352,13 +353,22 @@ func readPacket(reader io.Reader) (*Packet, int, error) {
 	if MaxPacketLengthBytes > 0 && int64(length) > MaxPacketLengthBytes {
 		return nil, read, fmt.Errorf("length %d greater than maximum %d", length, MaxPacketLengthBytes)
 	}
-	content := make([]byte, length)
+
+	var content []byte
 	if length > 0 {
-		_, err := io.ReadFull(reader, content)
+		// Read the content and limit it to the parsed length.
+		// If the content is less than the length, we return an EOF error.
+		content, err = ioutil.ReadAll(io.LimitReader(reader, int64(length)))
+		if err == nil && len(content) < int(length) {
+			err = io.EOF
+		}
 		if err != nil {
 			return nil, read, unexpectedEOF(err)
 		}
-		read += length
+		read += len(content)
+	} else {
+		// If length == 0, we set the ByteValue to an empty slice
+		content = make([]byte, 0)
 	}
 
 	if p.ClassType == ClassUniversal {

fuzz_test.go

@@ -30,11 +30,6 @@ func FuzzDecodePacket(f *testing.F) {
 	f.Add([]byte{0x09, 0x02, 0x85, 0x30})
 	f.Add([]byte{0x09, 0x01, 0xcf})
 
-	// Set a limit on the length decoded in readPacket() since the call to
-	// make([]byte, length) can allocate up to MaxPacketLengthBytes which is
-	// currently 2 GB. This can cause memory related crashes when fuzzing in
-	// parallel or on memory constrained devices.
-	MaxPacketLengthBytes = 65536
 	f.Fuzz(func(t *testing.T, data []byte) {
 		stime := time.Now()
 		p, err := DecodePacketErr(data)