Disclosure of the details of an integer overflow bug which causes an assertion crash, a fix for which was released on September 14th, 2021 in Bitcoin Core version v22.0.
This issue is considered High severity.
Details
CAddrMan has a 32-bit nIdCount field that is incremented on every insertion
into addrman, and which then becomes the identifier for the new entry. By
getting the victim to insert 232 entries (through e.g. spamming addr
messages), this identifier overflows, which leads to an assertion crash.
Attribution
Credit goes to Eugene Siegel for discovering and disclosing the vulnerability, and to Pieter Wuille for fixing the issue in https://github.com/bitcoin/bitcoin/pull/22387.
Timeline
- 2021-06-21 - Initial report sent to security@bitcoincore.org by Eugene Siegel
- 2021-07-19 - Fix is merged (https://github.com/bitcoin/bitcoin/pull/22387)
- 2021-09-13 - v22.0 is released
- 2024-07-31 - Public disclosure