Buffer vulnerability with websockets module

Question

I read this article and cannot let it go, because I cannot understand what the problem actually is. It itches my brain.

All I can understand is:

The ws module has a ping functionality.

Because internally ws ping transforms to a Buffer instance all the data we send, it is possible to allocate a big amount of bytes, if the Buffer has a number instead of a string.

So ws uses new Buffer(100); that allocates more bytes than new Buffer('100'); and this is bad because we allocate (=use,bind, tie down) more bytes, making the server work harder when we could make him work less.

That's it. The part about "returned non-zeroed buffer" and memory leaked are all rocket science to me.

Servers and buffers are not my strong suit, so I could use a simple explanation about what is going on.

Answer 1

That article discloses a vulnerability where a client might be able to receive a pong response that contains bytes from some random memory from the server. In some cases, this memory might contain private/secret stuff from the server so it is considered an unsafe practice. This is not about making the server work harder, but is about the security of stuff stored in server memory.

Because of the way nodejs allocates buffers, the article describes that the uninitialized memory that could be accidentally sent to a client in a pong request would be memory that had been previously used for Buffer allocations, not any random memory from the server.

The "leak" it refers to is an unintended leak of information from the server to the outside world, not a memory leak on the server.

The problem appears to have been fixed in version 1.0.1 of the ws module.