Moby Spdystream Memory Exhaustion Vulnerability in SPDY Frame Parsing Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Moby Spdystream library, specifically in versions through 0.5.0. The issue arises in the SPDY/3 frame parser, which fails to properly validate counts and lengths controlled by attackers before allocating memory. This flaw allows a remote peer to send crafted SPDY frames that cause the process to allocate excessive amounts of memory, leading to an out-of-memory crash. The vulnerability exploits three unvalidated allocation paths: the SETTINGS frame entry count, the header count in the 'parseHeaderValueBlock' function, and individual header field sizes, all of which are read as 32-bit integers and used directly for memory allocation without bounds checking. Since SPDY header blocks are compressed using zlib, a small payload can decompress into large, attacker-controlled values, amplifying the memory allocation issue.

Impact

Exploitation of this vulnerability causes the process to crash due to excessive memory consumption, leading to a denial-of-service condition.

Remediation

Users can upgrade to Spdystream version 0.5.1, which addresses the vulnerability by implementing proper validation for the SETTINGS entry count, enforcing limits on the number of headers and the size of individual header fields, and closing connections upon encountering protocol errors. Version 0.5.1 also allows users to configure these limits.