Audit finding from #300 (commit 679f9fe)
Severity: medium (DoS), low (security)
Category: input validation / DoS
File: crates/client/src/listeners.rs:329
Obvious fix: yes
Description
Any signed peer on the server-ops topic can broadcast WireMessage::VoiceJoin { channel_id, peer_id } with an arbitrary channel_id String; the client unconditionally calls v.participants.entry(ch).or_default().insert(peer_id). There is no validation that channel_id corresponds to a real channel in ServerState, nor any bound on the number of distinct channels or participants.
Impact / Threat
A malicious peer can flood VoiceJoin with random channel ids until each receiving client's voice state grows to fill memory.
Suggested fix
Ignore VoiceJoin/Leave/Signal whose channel_id does not exist in the server's ServerState.channels, and additionally cap distinct channel_ids and peer_ids in VoiceState.
Verify
rg "v.participants.entry\(ch\).or_default\(\).insert\(peer_id\)" crates/client/src/listeners.rs
Audit finding from #300 (commit 679f9fe)
Severity: medium (DoS), low (security)
Category: input validation / DoS
File: crates/client/src/listeners.rs:329
Obvious fix: yes
Description
Any signed peer on the server-ops topic can broadcast
WireMessage::VoiceJoin { channel_id, peer_id }with an arbitrarychannel_idString; the client unconditionally callsv.participants.entry(ch).or_default().insert(peer_id). There is no validation thatchannel_idcorresponds to a real channel inServerState, nor any bound on the number of distinct channels or participants.Impact / Threat
A malicious peer can flood VoiceJoin with random channel ids until each receiving client's voice state grows to fill memory.
Suggested fix
Ignore VoiceJoin/Leave/Signal whose
channel_iddoes not exist in the server'sServerState.channels, and additionally cap distinctchannel_ids andpeer_ids inVoiceState.Verify
rg "v.participants.entry\(ch\).or_default\(\).insert\(peer_id\)" crates/client/src/listeners.rs