GMS-2022-820: Panic when processing certain blocks

April 8, 2022 (updated August 30, 2023)

Impact

Decoding certain blocks using the go-ipld-prime version of the dag-pb codec (go-codec-dagpb) can cause a panic. The panic comes from an assumption that the reported link length is accurate, but if the block ends before that reported length then it’s a buffer overread.

Patches

The issue is fixed in v1.3.1 and above.

Consumers can discover the versions of go-codec-dagpb in a module’s dependency graph using the following command in the module root:

go mod graph | grep go-codec-dagpb

Workarounds

You can work around this issue without upgrading by recovering panics higher in the call stack of the goroutine that calls the defective code.

For more information

If you have any questions or comments about this advisory:

Ask in IPFS Discord #ipld-chatter
Open an issue in go-codec-dagpb

References

Code Behaviors & Features

Detect and mitigate GMS-2022-820 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →