Rpc Server: WitnessRules potential DDOS #2950
Comments
cschuchardt88
added
the
Discussion
|
Please check https://github.com/neo-project/neo/security and https://neo.org/bounty for proper reporting of any security issues. |
|
By default, Kestrel has a maximum of 30MB for body length and we already have an authentication mechanism; Btw, we can lower this limit. |
|
But what about Akka? This can affect that as well and ISerializable. But that has limits right? On how big the packet can be? 1MB? @shargon What is the max allow Conditions for an transaction? If there isn't one I think there should be one. |
Do you think that's not enough with neo/src/Neo/Network/P2P/Payloads/Conditions/WitnessCondition.cs Lines 24 to 25 in 5207956 |
|
Yes. but if it isn't than they can send another transaction to make up for it? |
|
@roman-khimov Looking at the code again no. Cause it deals with this like code: You keep creating it, you get it? Idk what else could be using this, but maxdepth is added but here |
Summary or problem description
There is a potential problem with
rpc serverwith signer rules. The neo function see below doesn't pass the max depth for json object. This will allow someone to DDOS allRpc nodes. I will not post the way to do this here.neo/src/Neo/Network/P2P/Payloads/WitnessRule.cs
Line 63 in 4e9314d
https://github.com/neo-project/neo-modules/blob/09c2879958a916e0867fc78c64a04edfabe6935f/src/RpcServer/RpcServer.SmartContract.cs#L166-L182
Do you have any solution you want to propose?
Put a max depth
Where in the software does this update applies to?
The text was updated successfully, but these errors were encountered: