Skip to content

SSE stream buffers malicious BMC data unbounded with timeout disabled #138

Description

@yoks

Summary

Severity: MEDIUM
Category: uncontrolled_resource_consumption
File: bmc-http/src/reqwest.rs:1073

Description

Client::sse sets .timeout(Duration::MAX) then feeds response.bytes_stream() into sse_stream::SseStream::from_byte_stream (reqwest.rs:1085) with no cap on buffered event size. SSE framing buffers a data: line until a terminator arrives; a server that never sends one grows the buffer indefinitely. The usual total-request timeout backstop is deliberately removed on this path.

Reachable via EventService::events()HttpBmc::stream (bmc-http/src/lib.rs:825-838) → Client::sse.

Impact

A compromised BMC can exhaust the client process's memory, killing the daemon and taking down monitoring of every other BMC managed by the same process.

Exploit Scenario

Client subscribes to BMC events; compromised BMC responds with a valid SSE header then streams gigabytes of data: payload with no newline; client memory grows until the OS kills the process.

Recommendation

  • Enforce a maximum unterminated-event size (e.g. 1 MiB) and abort the stream with an error when exceeded.
  • Expose an SSE idle/read timeout in ClientParams instead of hardcoding Duration::MAX.

Reported by automated scan — 2026-07-11

Metadata

Metadata

Assignees

Labels

bugSomething isn't workinggood first issueGood for newcomers

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Triage

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions