Skip to content

fix(carbonio): validate machoNet oob length against payload size#15

Open
Rakdos8 wants to merge 1 commit into
carbonengine:mainfrom
Rakdos8:fix/machonet-oob-bounds
Open

fix(carbonio): validate machoNet oob length against payload size#15
Rakdos8 wants to merge 1 commit into
carbonengine:mainfrom
Rakdos8:fix/machonet-oob-bounds

Conversation

@Rakdos8

@Rakdos8 Rakdos8 commented May 15, 2026

Copy link
Copy Markdown

Summary

Closes a network-reachable heap over-read in the machoNet stream packet parser.

Problem

m_oobDataLen is read from the wire (attacker-controlled out-of-band length
prefix). It was only bounded by maxPacketSize, never by the payload actually
received. A hostile peer could announce an m_oobDataLen larger than the
received buffer, causing m_payload to advance past m_data, the
payloadLen() - m_oobDataLen computation to underflow, and adjacent heap
memory to be handed to the oob callbacks / returned to Python.

Fix

After the existing maxPacketSize guard, reject any packet whose oob block
plus its 4-byte length prefix exceeds payloadLen(). Same style as the
sibling check (PyErr_Format + return false), no behavioural change for
well-formed packets.

Type

Security — remote heap over-read / information disclosure (Critical).

Testing

Manual review; behaviour for valid packets unchanged (guard only rejects
malformed oversized oob lengths).

@CCP-Aporia

CCP-Aporia commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Hi @Rakdos8

Thank you for the PR and apologies for the late response. We are still in the process of sorting out some details around contribution guidelines and PR templates.

This does indeed look like a real issue. Could you please add a test case in tests/python/carboniotests/test/test_socket.py as well?

@Rakdos8
fix(carbonio): validate machoNet oob length against payload size
8d9f54e 
A hostile peer controls m_oobDataLen via the packet's out-of-band
length prefix. It was only bounded by maxPacketSize, never by the
payload actually received, so m_payload could be advanced past m_data,
payloadLen() - m_oobDataLen could underflow, and adjacent heap memory
was disclosed to the oob callbacks. Reject packets whose oob block plus
its length prefix exceeds payloadLen().
@Rakdos8 Rakdos8 force-pushed the fix/machonet-oob-bounds branch from 21feb47 to 8d9f54e Compare June 10, 2026 22:18
@Rakdos8

Rakdos8 commented Jun 10, 2026

Copy link
Copy Markdown
Author

Hi @Rakdos8

Thank you for the PR and apologies for the late response. We are still in the process of sorting out some details around contribution guidelines and PR templates.

This does indeed look like a real issue. Could you please add a test case in tests/python/carboniotests/test/test_socket.py as well?

No worries about the delay : I can imagine open-sourcing a project isn't easy, especially sorting out contribution guidelines and templates along the way 😉

Done : added test_recvpacket_with_oob_data_exceeding_payload to CarbonIoTest in tests/python/carboniotests/test/test_socket.py. It hand-crafts a packet whose advertised OOB length overruns the received payload and asserts recvpacketoob() raises OSError, exercising the new bound. It sits alongside the existing test_recvpacket_with_oob_data happy-path case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Rakdos8 @CCP-Aporia