In the library hyper , offering the implementation of the protocols http/1 and http/2 in the language of Rust, Speciality Memory work that can be used to initiate a refusal to serve through exhaustion accessible to the memory process. For the operation of vulnerability, it is enough to send a specially designed HTTP request a vulnerable processor using Hyper. The library is quite popular (67 million downloads) and is used as a dependence in 2579 projects presented in the Crates.io catalog.
The reason for the vulnerability is the lack of restrictions on the size of the resources transmitted in HTTP checks and -replacements. In the Hyper library, the Body function is offered to copy a request or the response body :: to_bytes, copying the data data and the answer to one buffer without checking the size of the data obtained. Accordingly, the attack boils down to the transfer of a very large request or answer, the processing of which will lead to the allocation of a buffer that does not fit into an accessible memory. It is noteworthy that the indicated behavior is clearly described in the documentation , in which it is recommended to perform separate sizes, But the warning was ignored in various products using Hyper.
In real conditions, there is no need to send a large amount of data for the attack-since when processing the ChUNKED Caures, the buffer is released on the basis of information in the Content-LENGTH title, it is enough to send an initial package with a greater value in the process of highlighting a large memory unit or emergency completion of the process Content-length.