fix(marauder): bound the read accumulator (untrusted-device DoS parity with Flipper)#148
Merged
Merged
Conversation
…y with Flipper) The Flipper serial path caps in-flight reads at 8 MiB (flipper.defaultMaxAccumBytes + ErrResponseTruncated). The Marauder client — a separate codebase — had no equivalent bound: readUntilPromptCtx and the Stream goroutine append()'d to their accumulators without limit. The Marauder reports attacker-influenced data (SSIDs / BSSIDs / BLE names from the surrounding RF, which an adversary can flood with thousands of forged beacons) over a link that could also be a malfunctioning or malicious board, so an unbounded read accumulator is a memory-DoS vector — and an asymmetry with the Flipper transport that already defends against it. Add the matching cap: - defaultMaxAccumBytes = 8 MiB (same value as the Flipper) + SetMaxAccumBytes / accumCap(), mirroring flipper.(*Flipper). - readUntilPromptCtx: once the accumulator exceeds the cap before the prompt arrives, return the partial output with ErrResponseTruncated (same contract as the Flipper path). - Stream goroutine: accum normally holds only the current unterminated line (trimmed at every '\n'); if it exceeds the cap, a single no-newline line is flooding memory — log, send stopscan, and end the stream cleanly. Verified: new tests for the no-prompt flood truncation (partial output + ErrResponseTruncated, bounded size) and the accumCap default/override/reset resolver; existing marauder suite unchanged. task ci green (lint 0 / vet / build / test:full 0 fail / govulncheck clean); task eval 17/17.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fourth trust-boundary fix in the series. Brings the Marauder read path to parity with the Flipper's existing read-size cap.
The Flipper serial path caps in-flight reads at 8 MiB (
flipper.defaultMaxAccumBytes+ErrResponseTruncated). The Marauder client — a separate codebase — had no equivalent bound:readUntilPromptCtxand theStreamgoroutineappend'd to their accumulators without limit. The Marauder reports attacker-influenced data (SSIDs / BSSIDs / BLE names from the surrounding RF, which an adversary can flood with thousands of forged beacons) over a link that could also be a malfunctioning or malicious board, so an unbounded read accumulator is a memory-DoS vector — and an asymmetry with the Flipper transport that already defends against it.Change
defaultMaxAccumBytes = 8 MiB(same value as the Flipper) +SetMaxAccumBytes/accumCap(), mirroringflipper.(*Flipper).readUntilPromptCtx(theExec/ExecCtxpath): once the accumulator exceeds the cap before the prompt arrives, return the partial output withErrResponseTruncated— same contract as the Flipper path.Streamgoroutine:accumnormally holds only the current unterminated line (trimmed at every\n); if it exceeds the cap, a single no-newline line is flooding memory — log, sendstopscan, and end the stream cleanly.Verification
ErrResponseTruncated, bounded size) and theaccumCapdefault/override/reset resolver. Existing marauder suite unchanged.task cigreen (lint 0 / vet / build /test:full0 fail / govulncheck clean);task eval17/17.Adversarial-input hardening (untrusted device) — anchors v0.769.0.