CVE-2020-35896

Step 1: Payload Crafting: The attacker crafts a malicious WebSocket message. This message contains a payload designed to be significantly larger than expected or reasonable for the application's normal operation. Step 2: Message Transmission: The attacker sends the crafted WebSocket message to the vulnerable server using a WebSocket connection. Step 3: Server Processing: The server, using the vulnerable ws crate, receives and attempts to process the malicious message. Step 4: Buffer Allocation: Due to the lack of proper size validation, the server allocates a large buffer to accommodate the oversized payload. Step 5: Memory Exhaustion: The server either allocates an extremely large buffer, leading to memory exhaustion, or attempts to write the oversized payload, potentially triggering a buffer overflow or other memory corruption issues, ultimately leading to a crash or denial of service.

The vulnerability stems from a lack of proper size limitations on the outgoing buffer within the ws crate when processing WebSocket messages. Specifically, the code fails to adequately validate the size of data being written to the outgoing buffer before allocation or transmission. This allows a malicious actor to craft a WebSocket message with an excessively large payload. When the server attempts to process and send this oversized message, it consumes a disproportionate amount of memory, potentially leading to a buffer overflow or, more likely, a memory exhaustion condition. The root cause is the absence of sufficient bounds checking on the size of the outgoing data, allowing for unbounded memory allocation. This can be triggered by sending a large WebSocket message, leading to a denial-of-service.