Bitcoin Core :: Disclosure of CVE-2015-3641



A node could be forced to allocate large buffers when receiving a message, which could be leveraged to remotely crash it by OOM.

This issue is considered Medium severity.

Details

Without a tighter bound, received messages’ size was limited by the maximum serialized message size
of 32 MiB. An attacker could force a node to allocate this much RAM per connection, which may lead
to an OOM.

PR #5843 reduced the size P2P messages can have
before receiving the payload. This reduces the per-peer receive buffer memory size a malicious peer
can cause. The PR reduced the number from 32 MiB to 2 MiB, which was later increased back to 4 MB as
part of the Segwit BIP144 changes.

Attribution

Reported to Greg Maxwell by bitcointalk user Evil-Knievel. Fixed by Pieter Wuille.

Timeline

2015-02-05 Evil-Knievel reports the vulnerability to Greg Maxwell through bitcointalk private messages.
2015-??-?? CVE-2015-3641 is registered for it.
2015-03-01 PR #5843 is opened to fix it.
2015-03-06 PR #5843 is merged.
2015-03-09 The fix is backported to version 0.10.1.
2015-04-27 Bitcoin Core version 0.10.1 is released with a fix.
2015-06-25 A disclosure is pre-announced.
2015-07-07 Disclosure is postponed.
2016-08-23 The last vulnerable Bitcoin Core Version (0.10.x) goes EOL
2024-07-03 Public disclosure.