Add tokio-rustls DoS advisory (#304)

2026-01-23 11:49:05 +01:00 · 2020-06-30 14:01:58 +08:00
parent 48c8653408
commit de07a7d207
1 changed files with 20 additions and 0 deletions
--- a/crates/tokio-rustls/RUSTSEC-0000-0000.toml
+++ b/crates/tokio-rustls/RUSTSEC-0000-0000.toml
@@ -0,0 +1,20 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "tokio-rustls"
+date = "2020-05-19"
+title = "tokio-rustls reads may cause excessive memory usage"
+url = "https://github.com/tokio-rs/tls/pull/14"
+categories = ["denial-of-service"]
+keywords = ["tls", "ssl", "DoS"]
+description = """
+`tokio-rustls` does not call `process_new_packets` immediately after `read`,
+so the expected termination condition `wants_read` always returns true.
+As long as new incoming data arrives faster than it is processed
+and the reader does not return pending, data will be buffered.
+
+This may cause DoS.
+"""
+
+[versions]
+unaffected = ["< 0.12"]
+patched = [">= 0.12.3, < 0.13.0", ">= 0.13.1"]