Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestion 5: Improve Handling of Excessively Large Messages During Encryption / Decryption #480

Open
mpguerra opened this issue Feb 18, 2025 · 0 comments · May be fixed by #493
Open

Suggestion 5: Improve Handling of Excessively Large Messages During Encryption / Decryption #480

mpguerra opened this issue Feb 18, 2025 · 0 comments · May be fixed by #493
Milestone
FROST Demo Audit

Comments

@mpguerra
Copy link
Contributor

Location

src/comms/http.rs#L306
src/comms/http.rs#L460

Synopsis

In order to prevent denial of service (DoS) attacks, a message from the server must have a size of less than 65535 bytes in the functions encrypt and decrypt for the coordinator, participant, and DKG protocol. If the message exceeds this bound, the code of the coordinator (for example) would abort in L460 of the function recv when the coordinator receives a message from the participant. Hence, a malicious participant can end the coordinator process by sending a message that is too large to decrypt.

Mitigation

We recommend implementing a different approach for handling messages exceeding a certain size. Instead of throwing an error, the code should be modified to ignore large messages.
@mpguerra mpguerra added this to the FROST Demo Audit milestone Feb 18, 2025
@mpguerra mpguerra moved this to Sprint Backlog in FROST Feb 18, 2025
@conradoplg conradoplg linked a pull request Feb 21, 2025 that will close this issue
Open
@mpguerra mpguerra linked a pull request Feb 21, 2025 that will close this issue
frostd, dkg, coordinator: check msg size; cleanup on error #493
Open
@mpguerra mpguerra moved this from Sprint Backlog to Review/QA in FROST Feb 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
FROST
Status: Review/QA
Milestone
FROST Demo Audit
Development

Successfully merging a pull request may close this issue.

frostd, dkg, coordinator: check msg size; cleanup on error ZcashFoundation/frost-zcash-demo
1 participant
@mpguerra