A node could be forced to allocate large buffers when receiving a message, which could be leveraged to remotely crash it by OOM.

This issue is considered Medium severity.

Details

Without a tighter bound, received messages’ size was limited by the maximum serialized message size of 32 MiB. An attacker could force a node to allocate this much RAM per connection, which may lead to an OOM.

PR #5843 reduced the size P2P messages can have before receiving the payload. This reduces the per-peer receive buffer memory size a malicious peer can cause. The PR reduced the number from 32 MiB to 2 MiB, which was later increased back to 4 MB as part of the Segwit BIP144 changes.

Attribution

Reported to Greg Maxwell by bitcointalk user Evil-Knievel. Fixed by Pieter Wuille.

Timeline

  • 2015-02-05 Evil-Knievel reports the vulnerability to Greg Maxwell through bitcointalk private messages.
  • 2015-??-?? CVE-2015-3641 is registered for it.
  • 2015-03-01 PR #5843 is opened to fix it.
  • 2015-03-06 PR #5843 is merged.
  • 2015-03-09 The fix is backported to version 0.10.1.
  • 2015-04-27 Bitcoin Core version 0.10.1 is released with a fix.
  • 2015-06-25 A disclosure is pre-announced.
  • 2015-07-07 Disclosure is postponed.
  • 2016-08-23 The last vulnerable Bitcoin Core Version (0.10.x) goes EOL
  • 2024-07-03 Public disclosure.