Summary
loona-hpack suffers from the same vulnerability as the original hpack as documented in mlalic/hpack-rs#11
Details
The original includes a very nice description of the problem, as well as an easy-enough fix for it.
PoC
The original example pretty much still applies:
use loona_hpack::Decoder;
pub fn main() {
let input = &[0x3f];
let mut decoder = Decoder::new();
let _ = decoder.decode(input);
}Impact
From the original:
All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on [crates.io](https://crates.io/crates/hpack-patched) under the name hpack-patched. See [Cargo's documentation on overriding dependencies](https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html) for more information.
Summary
loona-hpacksuffers from the same vulnerability as the originalhpackas documented in mlalic/hpack-rs#11Details
The original includes a very nice description of the problem, as well as an easy-enough fix for it.
PoC
The original example pretty much still applies:
Impact
From the original:
All users who try to decode untrusted input using the Decoder are vulnerable to this exploit. A patched version of the crate is available on [crates.io](https://crates.io/crates/hpack-patched) under the name hpack-patched. See [Cargo's documentation on overriding dependencies](https://doc.rust-lang.org/cargo/reference/overriding-dependencies.html) for more information.