Skip to content

[Audit-Medium] No upper bound on peer-advertised Slic connection para… #4410

Open
Open
[Audit-Medium] No upper bound on peer-advertised Slic connection para…#4410
Assignees
pepone
Labels
ai-auditAI-generated audit finding — needs human triageslicSlic Transport
Milestone
0.6.0
@pepone

Description

@pepone
pepone
opened on Apr 15, 2026

AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.

Medium: No upper bound on peer-advertised Slic connection parameters

Affected code:

Description:

MaxStreamFrameSize and InitialStreamWindowSize are validated with a lower bound of 1024 bytes but have no upper bound (only the int range imposed by DecodeParamValue). PeerMaxStreamFrameSize and PeerInitialStreamWindowSize feed send-sizing math in WriteStreamDataFrameAsync (SlicConnection.cs:762) and flow-control accounting in SlicPipeWriter. A peer declaring 2 GiB values does not cause immediate local allocation, but it disables the receive-window protection on the sending side and forces int arithmetic close to overflow boundaries.

Impact: Low to Medium — no direct memory blow-up on the receiver, but the invariant "peer-advertised sizes are sane" is load-bearing elsewhere in the implementation.

Recommendation: enforce a sensible upper bound (e.g. MaxStreamFrameSize <= 16 MiB, InitialStreamWindowSize <= 16 MiB) at decode time and reject as InvalidDataException.

Source report: src-IceRpc-Transports-audit-2026-04-14.md (finding No upper bound on peer-advertised Slic connection parameters)

Severity (auditor-assigned): Medium

Metadata

Metadata

Assignees

Labels

ai-auditAI-generated audit finding — needs human triageslicSlic Transport

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions