You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In line 229 of Main.cs from Pem2CNG and in line 291 of Pem2XML, it is possible for the attacker to deny service by somehow specifying a really large file or stream for the pem specification. The StreamReader will block the thread until an EOF byte is read.
I wouldn't get into more detail about how an attacker may actually set up such an attack for another user's aaltotls based service; and instead I would suggest to modify the stream reading code so that it only reads up to an expected maximum number of characters (I can't imagine a PEM bigger than say a MegaByte). This will prevent a future possibility of DOS making the service unavailable or using up all the threads/resources/memory on the host system.
This isn't a huge deal but as your code evolves and possibly becomes reused in a way not anticipated today... you could easily fix this now.
The text was updated successfully, but these errors were encountered:
In line 229 of Main.cs from Pem2CNG and in line 291 of Pem2XML, it is possible for the attacker to deny service by somehow specifying a really large file or stream for the pem specification. The StreamReader will block the thread until an EOF byte is read.
I wouldn't get into more detail about how an attacker may actually set up such an attack for another user's aaltotls based service; and instead I would suggest to modify the stream reading code so that it only reads up to an expected maximum number of characters (I can't imagine a PEM bigger than say a MegaByte). This will prevent a future possibility of DOS making the service unavailable or using up all the threads/resources/memory on the host system.
This isn't a huge deal but as your code evolves and possibly becomes reused in a way not anticipated today... you could easily fix this now.
The text was updated successfully, but these errors were encountered: