tendermint v0.33.3 Release Notes
-
April 6, 2020
๐ This security release fixes:
Denial of service 1
Tendermint 0.33.2 and earlier does not limit P2P connection requests number. For each p2p connection, Tendermint allocates ~0.5MB. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions.
Tendermint 0.33.3 (and 0.32.10) limits the total number of P2P incoming connection requests to to
p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids)
.Notes:
- Tendermint does not rate limit P2P connection requests per IP (an attacker can saturate all the inbound slots);
- Tendermint does not rate limit HTTP(S) requests. If you expose any RPC endpoints to the public, please make sure to put in place some protection (https://www.nginx.com/blog/rate-limiting-nginx/). We may implement this in the future (#1696).
Denial of service 2
Tendermint 0.33.2 and earlier does not reclaim
activeID
of a peer after it's โ removed inMempool
reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and โ added to all reactors.RemovePeer
is therefore called beforeAddPeer
, which leads to always growing memory (activeIDs
map). TheactiveIDs
map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting Denial of service 1), which ultimately will lead to the node panicking.Tendermint 0.33.3 (and 0.32.10) claims
activeID
for a peer inInitPeer
, which is executed beforeMConnection
is started.Notes:
InitPeer
function was added to all reactors to combat a similar issue - #3338;- Denial of service 2 is independent of Denial of service 1 and can be executed without it.
โฌ๏ธ All clients are recommended to upgrade
Special thanks to fudongbai for finding and reporting this.
Friendly reminder, we have a bug bounty program.
๐ SECURITY:
- [mempool] Reserve IDs in InitPeer instead of AddPeer (@tessr)
- [p2p] Limit the number of incoming connections (@melekes)