From de07a7d2078d70b88d04b24ab954278a2c5b6ce7 Mon Sep 17 00:00:00 2001
From: quininer <quininer@live.com>
Date: Tue, 30 Jun 2020 14:01:58 +0800
Subject: [PATCH] Add tokio-rustls DoS advisory (#304)

---
 crates/tokio-rustls/RUSTSEC-0000-0000.toml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 crates/tokio-rustls/RUSTSEC-0000-0000.toml

diff --git a/crates/tokio-rustls/RUSTSEC-0000-0000.toml b/crates/tokio-rustls/RUSTSEC-0000-0000.toml
new file mode 100644
index 0000000..ad708ba
--- /dev/null
+++ b/crates/tokio-rustls/RUSTSEC-0000-0000.toml
@@ -0,0 +1,20 @@
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "tokio-rustls"
+date = "2020-05-19"
+title = "tokio-rustls reads may cause excessive memory usage"
+url = "https://github.com/tokio-rs/tls/pull/14"
+categories = ["denial-of-service"]
+keywords = ["tls", "ssl", "DoS"]
+description = """
+`tokio-rustls` does not call `process_new_packets` immediately after `read`,
+so the expected termination condition `wants_read` always returns true.
+As long as new incoming data arrives faster than it is processed
+and the reader does not return pending, data will be buffered.
+
+This may cause DoS.
+"""
+
+[versions]
+unaffected = ["< 0.12"]
+patched = [">= 0.12.3, < 0.13.0", ">= 0.13.1"]