GHSA-5xrh-qmmq-w6chHighCVSS 7.5
Netty: SCTP reassembly nests buffers without bound
🔗 CVE IDs covered (1)
📋 Description
For each non-complete SctpMessage fragment the handler does fragments.put(streamId, Unpooled.wrappedBuffer(frag, byteBuf)), wrapping the previous accumulator and the new slice into a new CompositeByteBuf every time. After N fragments the accumulator is an N-deep chain of composites, each holding references and component arrays; readableBytes()/getBytes() on the final buffer recurse N levels. There is no limit on N, on total bytes, or on the number of streamIdentifiers an attacker can open (each gets its own map entry). A peer that never sets the complete flag can grow this structure indefinitely from tiny 1-byte DATA chunks.
🎯 Affected products2
- maven/io.netty:netty-transport-sctp:>= 4.2.0.Final, <= 4.2.14.Final
- maven/io.netty:netty-transport-sctp:<= 4.1.134.Final