1542d5d9 cryptonote_protocol: drop peers we can't download from when syncing (moneromooo-monero)
ff42af87 p2p: add a few missing connection close calls (moneromooo-monero)
5157060 Add debug targets to depends Makefile (TheCharlatan)
8475cbb Remove clutter in depends installed packages (TheCharlatan)
48c2659 Add ncurses package for linux and darwin readline (TheCharlatan)
Any peer that's behind us while syncing is useless to us (though
not to them). This ensures that we don't get our peer slots filled
with peers that we can't use. Once we've synced, we can connect
to them and they can then sync off us if they want.
The macos binaries in release v0.14.1.0 were compiled with the buggy
hidapi-0.8.0-rc1 version. This resulted in users not being able to use
their Ledger with the latest cli wallet. After the patch depends now
fetches the source from the libusb hidapi repository that has taken over
maintenance of hidapi.
To speedup the depends cached builds, remove some some clutter from the package
files. This mainly incldues removing all the shared libraries and .la
linker files. It also gives stronger guarantees that monero only links
the static libs without any external rvalues.
542cab02 rpc: restrict the recent cutoff size in restricted RPC mode (moneromooo-monero)
434e617a ensure no NULL is passed to memcpy (moneromooo-monero)
279f1f2c abstract_tcp_server2: improve DoS resistance (moneromooo-monero)
756773e5 serialization: check stream good flag at the end (moneromooo-monero)
e3f714aa tree-hash: allocate variable memory on heap, not stack (moneromooo-monero)
67baa3a6 cryptonote: throw on tx hash calculation error (moneromooo-monero)
d6bb9ecc serialization: fail on read_varint error (moneromooo-monero)
19490e44 cryptonote_protocol: fix another potential P2P DoS (moneromooo-monero)
fa4aa47e cryptonote_protocol: expand basic DoS protection (moneromooo-monero)
3c953d53 cryptonote_protocol_handler: prevent potential DoS (anonimal)
b873b69d epee: basic sanity check on allocation size from untrusted source (moneromooo-monero)
Essentially, one can send such a large amount of IDs that core exhausts
all free memory. This issue can theoretically be exploited using very
large CN blockchains, such as Monero.
This is a partial fix. Thanks and credit given to CryptoNote author
'cryptozoidberg' for collaboration and the fix. Also thanks to
'moneromooo'. Referencing HackerOne report #506595.
Riccardo Spagni