Skip to content

Bound patch decompression to guard against zstd bombs#245

Merged
larsewi merged 1 commit into
masterfrom
limit-patch-decompression
Jun 26, 2026
Merged

Bound patch decompression to guard against zstd bombs#245
larsewi merged 1 commit into
masterfrom
limit-patch-decompression

Conversation

@larsewi

@larsewi larsewi commented Jun 26, 2026

Copy link
Copy Markdown
Owner

decode_patch streamed untrusted wire bytes through zstd::decode_all with no output cap, so a small malicious frame could expand to gigabytes and OOM the receiver. This decompresses through a bounded reader and rejects output exceeding a 1 GiB ceiling. Adds unit tests.

🤖 Generated with Claude Code

decode_patch streamed untrusted wire bytes through zstd::decode_all with
no output cap, so a small malicious frame could expand to gigabytes and
OOM the receiver. Decompress through a bounded reader and reject output
exceeding a 1 GiB ceiling.

Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@larsewi larsewi marked this pull request as ready for review June 26, 2026 11:19
@larsewi larsewi added the bug Bug fix label Jun 26, 2026
@larsewi larsewi merged commit 6bea8ad into master Jun 26, 2026
7 checks passed
@larsewi larsewi deleted the limit-patch-decompression branch June 26, 2026 11:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Bug fix

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant