Fixing the Infinite Loop Bug in Bitcoin Core’s Dependency on Miniupnp
The impact of an infinite loop bug in miniupnp’s dependency on Bitcoin Core was disclosed, and the fix was released in Bitcoin Core version v22.0 on September 14, 2021. This issue is being considered low severity.
Understanding the Bug
Miniupnp, the UPnP library used by Bitcoin Core, functions by waiting for discovery whenever it receives random data from a device on the network. In addition, it allocates memory for each new device information. An attacker on the local network can exploit this vulnerability by pretending to be a UPnP device and continuously sending bloated M-SEARCH replies to Bitcoin Core nodes until memory is exhausted. It’s important to note that only users who run using the ‘-miniupnp’ option are affected by this bug since Miniupnp is turned off by default.
Acknowledging the Contributors
Ronald Huveneers initially reported the infinite loop bug to the miniupnp project, and Michael Ford (Fanquake) further reported it to the Bitcoin Core project. Ford provided a proof of concept vulnerability to trigger OOM and a pull request to enhance dependencies, including the necessary fixes. The collaborative effort of these individuals helped in timely resolution of the issue.
Timeline of Events
- 17-09-2020 – Ronald Huveneers initially reported infinite loop bug to miniupnp
- October 13, 2020 – Preliminary report sent to security@bitcoincore.org by Michael Ford
- 23-03-2021 – Fixes merged
- 13-09-2021 – v22.0 released
- July 31, 2024 – Public disclosure
