|
| 1 | +--- |
| 2 | +title: Disclosure of remote crash due to addr message spam |
| 3 | +name: blog-disclose-addrman-idcount-in-overflow |
| 4 | +id: blog-disclose-addrman-idcount-in-overflow |
| 5 | +lang: en |
| 6 | +type: advisory |
| 7 | +layout: post |
| 8 | + |
| 9 | +## If this is a new post, reset this counter to 1. |
| 10 | +version: 1 |
| 11 | + |
| 12 | +## Only true if release announcement or security annoucement. English posts only |
| 13 | +announcement: 1 |
| 14 | + |
| 15 | +excerpt: > |
| 16 | + Nodes could be spammed with addr messsages, which could be used to crash them. A fix was released on September 14th, 2021 in Bitcoin Core v22.0. |
| 17 | +--- |
| 18 | + |
| 19 | +Disclosure of the details of an integer overflow bug which causes an assertion |
| 20 | +crash, a fix for which was released on September 14th, 2021 in Bitcoin Core |
| 21 | +version v22.0. |
| 22 | + |
| 23 | +This issue is considered **High** severity. |
| 24 | + |
| 25 | +## Details |
| 26 | + |
| 27 | +`CAddrMan` has a 32-bit `nIdCount` field that is incremented on every insertion |
| 28 | +into addrman, and which then becomes the identifier for the new entry. By |
| 29 | +getting the victim to insert 2<sup>32</sup> entries (through e.g. spamming addr |
| 30 | +messages), this identifier overflows, which leads to an assertion crash. |
| 31 | + |
| 32 | +## Attribution |
| 33 | + |
| 34 | +Credit goes to Eugene Siegel for discovering and disclosing the vulnerability, |
| 35 | +and to Pieter Wuille for fixing the issue in |
| 36 | +https://github.com/bitcoin/bitcoin/pull/22387. |
| 37 | + |
| 38 | +## Timeline |
| 39 | + |
| 40 | +* 21-06-2021 - Initial report sent to security@bitcoincore.org by Eugene Siegel |
| 41 | +* 19-07-2021 - Fix is merged (https://github.com/bitcoin/bitcoin/pull/22387) |
| 42 | +* 13-09-2021 - v22.0 is released |
| 43 | +* 31-07-2024 - Public disclosure |
| 44 | + |
| 45 | +{% include references.md %} |
0 commit comments