A node could be forced to allocate large buffers when receiving a message, which could be leveraged to remotely crash it by OOM.
This issue is considered Medium severity.
Details
Without a tighter bound, received messages’ size was limited by the maximum serialized message size of 32 MiB. An attacker could force a node to allocate this much RAM per connection, which may lead to an OOM.
PR #5843 reduced the size P2P messages can have before receiving the payload. This reduces the per-peer receive buffer memory size a malicious peer can cause. The PR reduced the number from 32 MiB to 2 MiB, which was later increased back to 4 MB as part of the Segwit BIP144 changes.
Attribution
Reported to Greg Maxwell by bitcointalk user Evil-Knievel. Fixed by Pieter Wuille.
Timeline
- 2015-02-05 Evil-Knievel reports the vulnerability to Greg Maxwell through bitcointalk private messages.
- 2015-??-??
CVE-2015-3641is registered for it. - 2015-03-01 PR #5843 is opened to fix it.
- 2015-03-06 PR #5843 is merged.
- 2015-03-09 The fix is backported to version 0.10.1.
- 2015-04-27 Bitcoin Core version 0.10.1 is released with a fix.
- 2015-06-25 A disclosure is pre-announced.
- 2015-07-07 Disclosure is postponed.
- 2016-08-23 The last vulnerable Bitcoin Core Version (0.10.x) goes EOL
- 2024-07-03 Public disclosure.