Description
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral may execute new byte[length] for a string literal before verifying that length bytes are actually present in the compressed field section. The wire encoding allows a very large length to be expressed in few bytes. There is no check that length <= in.readableBytes() before new byte[length]. This vulnerability is fixed in 4.2.13.Final.
Problem types
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-789: Memory Allocation with Excessive Size Value
Product status
References
github.com/.../netty/security/advisories/GHSA-2c5c-chwr-9hqw
github.com/.../netty/security/advisories/GHSA-2c5c-chwr-9hqw