SpdyStream: DOS on CRI
The SPDY/3 frame parser in spdystream does not validate attacker-controlled counts and lengths before allocating memory. A remote peer that can send SPDY frames to a service using spdystream can cause the process to allocate gigabytes of memory with a small number of malformed control frames, leading to an out-of-memory crash. Three allocation paths in the receive side are affected: SETTINGS entry count – The SETTINGS frame reader reads a …