The CBOR library is sensitive to a DOS attack

[vivekidem]

Hi Team,

According a specially crafted message, the library will try to allocate a message that is way above the memory capacity.

For a CBOR array input. The code was trying to decode the CBOR array before trying to use the byte[]. The library that has no limit on the allocation memory that is requires -> an attacker could get craft a packet that will ask the library to allocate an object that will exceed the available memory.

[c-rack]

@vivekidem Would you like to make a PR that fixes this?

[vinaymjoshi]

@c-rack , from client side it can be mitigated by setting a definite value in setMaxPreallocationSize :

try { val decoder = CborDecoder(ByteArrayInputStream(this)) decoder.setMaxPreallocationSize(1024) return decoder.decode() } catch (e: CborException) { throw UnexpectedEndOfStream(message = "Invalid CBOR Encoded data ") }

However if client side above config is not set, then there should be some default value from library side.