tests: add test demonstrating subneg DoS

The parser logic for processing subnegotiations allows a peer to cause unbounded memory consumption by starting a subnegotiation but never finishing it. Applications consuming events from the parser will never receive any indication the peer sent data. The parser's internal buffer will grow unbounded. This commit adds a test demonstrating the issue, but does not offer a fix.
Blightmud · Oct 3, 2024 · c248bda · c248bda
1 parent 5c95119
commit c248bda
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/tests/tests.rs b/tests/tests.rs
@@ -319,6 +319,26 @@ fn test_bad_subneg_dbuffer() {
   Parser::with_support(opts).receive(&[cmd::IAC, cmd::SB, cmd::IAC, cmd::SE]);
 }
 
+#[test]
+fn test_subneg_dos() {
+  let mut instance: Parser = Parser::new();
+  instance.options.support_local(opt::GMCP);
+
+  // Receive the start of a supported subnegotiation
+  let mut events = instance.receive(&[cmd::IAC, cmd::SB, opt::GMCP]);
+  assert!(events.is_empty());
+
+  // Receive data forever, breaking only when an item is yielded. With the current code
+  // this will never happen: the parser will indefinitely buffer as much data as the peer
+  // sends, consuming all available memory.
+  loop {
+    events = instance.receive(&[0x01]);
+    if !events.is_empty() {
+      break;
+    }
+  }
+}
+
 #[test]
 fn test_into_bytes() {
   let bytes = libmudtelnet::events::TelnetIAC::new(cmd::IAC).to_bytes();