davidmoreno onion Log response.c onion_response_flush allocation of resources

Vulnerability

A vulnerability in the onion_response_flush function in src/onion/response.c of davidmoreno onion allows an attacker to trigger repeated ONION_WARNING log calls for each request that causes a write error on chunked encoding. Each log call allocates resources (memory and I/O), and without rate limiting, repeated exploitation can lead to resource exhaustion. The affected versions include those prior to commit de8ea938342b36c28024fd8393ebc27b8442a161 (the patch) [1][2].

Exploitation

An attacker must be able to send HTTP requests that cause a write error in the chunked encoding path. This can be achieved by sending a large number of requests (e.g., 200,000 iterations as shown in the proof-of-concept in [1]) that each trigger the warning. The attacker does not require authentication; only network access to the affected server is needed [1][2].

Impact

Successful exploitation causes the server to write numerous log messages, consuming disk space and I/O, and potentially exhausting system resources, leading to denial of service (DoS) for legitimate users [1][2].

Mitigation

The patch in commit de8ea938342b36c28024fd8393ebc27b8442a161 replaces the ONION_WARNING call with ONION_CALL_MAX_ONCE_PER_T_COUNT(1, ONION_WARNING, ...) which limits the warning to once per thread per count, preventing repeated logging. Users should update to a version containing this commit [1][2].