From ee46afab28c0142405dc9ca321c1f900e6873d49 Mon Sep 17 00:00:00 2001
From: Josh Stone <cuviper@gmail.com>
Date: Wed, 2 Nov 2022 15:38:07 -0700
Subject: [PATCH] Add conduit-hyper CVE-2022-39294 (#1456)

---
 crates/conduit-hyper/RUSTSEC-0000-0000.md | 24 +++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 crates/conduit-hyper/RUSTSEC-0000-0000.md

diff --git a/crates/conduit-hyper/RUSTSEC-0000-0000.md b/crates/conduit-hyper/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..d6ff7bc
--- /dev/null
+++ b/crates/conduit-hyper/RUSTSEC-0000-0000.md
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "conduit-hyper"
+date = "2022-10-30"
+url = "https://github.com/conduit-rust/conduit-hyper/security/advisories/GHSA-9398-5ghf-7pr6"
+categories = ["denial-of-service"]
+aliases = ["GHSA-9398-5ghf-7pr6", "CVE-2022-39294"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+
+[versions]
+patched = [">= 0.4.2"]
+unaffected = ["< 0.2.0-alpha.3"]
+```
+
+# Denial of Service from unchecked request length
+
+Prior to version 0.4.2, `conduit-hyper` did not check any limit on a request's
+length before calling `hyper::body::to_bytes`. An attacker could send a
+malicious request with an abnormally large `Content-Length`, which could lead
+to a panic if memory allocation failed for that request.
+
+In version 0.4.2, `conduit-hyper` sets an internal limit of 128 MiB per
+request, otherwise returning status 400 ("Bad Request").