[Medium] [stream] unauthenticated memory-allocation DoS in the stream handshake frames #3244
Description
This issue is a continuation of preconditions in #3083, but from another perspective.
In the stream implementation, a peer can force the listener to allocate up to max_message_size bytes by sending a varint length prefix claiming a large payload, then stalling without sending the payload data.
An attacker may send a varint claiming the maximum possible size, then stall. The receiver allocates that amount of memory and waits up to handshake timeout for data that never arrives. This increases the DoS attack surface
The flow:
stream/src/encrypted.rs:244- recv_frame(&mut stream, config.max_message_size) is called.stream/src/utils/codec.rs:57-63- recv_frame decodes the varint length, checks len <= max_message_size, then calls stream.recv(skip + len)runtime/src/network/tokio.rs:47- recv() calls self.pool.alloc_len(len), which allocates the full buffer beforeread_exactreads bytes
The main idea for fixing that is to use max_message_size for post-handshake data frames and max_handshake_frame_size for small pre-auth frames. Also, it should be addressed together with #3083