Advisories for Cargo/Yamux package

Remote unauthenticated denial of service. An attacker can repeatedly trigger panics by reconnecting and replaying the crafted frame sequence.

The Rust implementation of Yamux can panic when processing a crafted inbound Data frame that sets SYN and uses a body length greater than DEFAULT_CREDIT (e.g. 262145). On the first packet of a new inbound stream, stream state is created and a receiver is queued before oversized-body validation completes. When validation fails, the temporary stream is dropped and cleanup may call remove(…).expect("stream not found"), triggering a panic in the connection …

Attack scenario The Rust implementation of the Yamux stream multiplexer uses a vector for pending frames. This vector is not bounded in length. Every time the Yamux protocol requires sending of a new frame, this frame gets appended to this vector. This can be remotely triggered in a number of ways, for example by: Opening a new libp2p Identify stream. This causes the node to send its Identify message. Of …