security-research-notebook/dragonfly-stream-restore-oom/index.html

324 lines · html
<!doctype html>
<html lang="en"><head><meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Authenticated DoS: Dragonfly Server Crash via Crafted Stream RESTORE Payload | Zion Boggan</title>
<meta name="description" content="Unbounded allocation in Dragonfly&amp;#x27;s stream RESTORE path.">
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
<style>
  :root{
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
    --line:#222936; --line2:#2c3543;
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
    --accent:#6cc7b8; --accent-dim:#274b47;
    --maxw:1020px;
  }
  *{box-sizing:border-box;}
  html{scroll-behavior:smooth;}
  body{margin:0;background:var(--bg);color:var(--ink);
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
  a{color:var(--accent);text-decoration:none;}
  a:hover{color:#8fe0d2;}
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
 
  /* nav */
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
  nav .brand{font-weight:600;letter-spacing:.2px;}
  nav .brand .dot{color:var(--accent);}
  nav .links{display:flex;gap:26px;font-size:13.5px;}
  nav .links a{color:var(--muted);}
  nav .links a:hover{color:var(--ink);}
  @media(max-width:680px){nav .links{display:none;}}
 
  /* hero */
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
  .hero .lede b{color:var(--ink);font-weight:600;}
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
  .meta .mono{color:var(--faint);}
 
  /* sections */
  section{padding:64px 0;border-bottom:1px solid var(--line);}
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
  .shead .rule{flex:1;height:1px;background:var(--line);}
 
  /* flagship */
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
  .flag .top{padding:30px 32px 8px;}
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
  .flag p{color:var(--soft);margin:0 0 16px;}
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
  .spec li:first-child{border-top:none;}
  .spec li span{color:var(--muted);}
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
 
  /* lab cards */
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
  .card h3{margin:0 0 9px;font-size:17px;}
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
    border-radius:5px;padding:3px 8px;}
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
  .card .lnk::after{content:" →";}
 
  /* research */
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
    padding:18px 22px;border-top:1px solid var(--line);}
  .ritem:first-child{border-top:none;}
  .ritem:hover{background:var(--panel);}
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
  .ritem h3{margin:0 0 3px;font-size:16px;}
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
  .progs{margin-top:22px;}
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
    border-radius:6px;padding:4px 10px;}
 
  /* credentials */
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
  .cred p{color:var(--soft);margin:0 0 14px;}
  .cred .role{font-size:14px;color:var(--muted);}
  .cred .role b{color:var(--ink);font-weight:600;}
  .certs{list-style:none;margin:0;padding:0;}
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
    display:flex;gap:10px;align-items:baseline;}
  .certs li:first-child{border-top:none;}
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
 
  footer{padding:46px 0 64px;}
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
 
  .detail-hero{padding:40px 0 26px;}
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:20px;font-family:ui-monospace,Menlo,monospace;}
  .back:hover{color:var(--ink);}
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
  .detail-hero h1{font-size:clamp(26px,4.6vw,38px);margin:0 0 12px;letter-spacing:-.5px;}
  .detail-hero .tagline{font-size:clamp(15px,2vw,18px);color:var(--soft);max-width:800px;margin:0 0 16px;}
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:12px;margin-top:22px;}
  .content{padding:8px 0 0;max-width:840px;}
  .content h1{font-size:24px;margin:40px 0 14px;letter-spacing:-.4px;color:var(--ink);}
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:42px 0 15px;font-weight:600;border-top:1px solid var(--line);padding-top:28px;}
  .content h3{font-size:17px;margin:28px 0 10px;color:var(--ink);font-weight:600;}
  .content h4{font-size:14px;margin:22px 0 8px;color:var(--soft);font-weight:600;text-transform:uppercase;letter-spacing:.5px;}
  .content p{color:var(--soft);margin:0 0 15px;}
  .content ul,.content ol{color:var(--soft);margin:0 0 15px;padding-left:22px;}
  .content li{margin:5px 0;}
  .content strong{color:var(--ink);font-weight:600;}
  .content a{color:var(--accent);}
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:12.8px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
  .content pre code{background:none;border:none;padding:0;font-size:12.4px;color:var(--soft);line-height:1.6;white-space:pre;}
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.3px;}
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
  .content blockquote{border-left:3px solid var(--accent-dim);margin:0 0 16px;padding:2px 0 2px 18px;color:var(--muted);}
  .content hr{border:none;border-top:1px solid var(--line);margin:30px 0;}
  /* notebook index */
  .nbgroup{margin:40px 0 0;}
  .nbgroup h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin:0 0 4px;font-weight:600;}
  .nbgroup .gd{color:var(--faint);font-size:13px;margin:0 0 14px;}
  .nbtable{width:100%;border-collapse:collapse;font-size:14px;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
  .nbtable tr{border-top:1px solid var(--line);}
  .nbtable tr:first-child{border-top:none;}
  .nbtable tr:hover{background:var(--panel);}
  .nbtable td{padding:14px 16px;vertical-align:top;}
  .nbtable .cls{white-space:nowrap;color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:11.5px;text-transform:uppercase;letter-spacing:.5px;width:150px;}
  .nbtable .ti a{font-weight:600;color:var(--ink);}
  .nbtable .ti a:hover{color:var(--accent);}
  .nbtable .ol{color:var(--muted);font-size:13px;margin-top:3px;}
  @media(max-width:680px){.nbtable .cls{width:auto;display:block;}}
</style>
<link rel="canonical" href="https://zionboggan.com/security-research-notebook/dragonfly-stream-restore-oom/">
<meta name="author" content="Zion Boggan">
<meta name="robots" content="index, follow, max-image-preview:large">
<meta property="og:type" content="article">
<meta property="og:site_name" content="Zion Boggan">
<meta property="og:title" content="Authenticated DoS: Dragonfly Server Crash via Crafted Stream RESTORE Payload | Zion Boggan">
<meta property="og:description" content="Unbounded allocation in Dragonfly&amp;#x27;s stream RESTORE path.">
<meta property="og:url" content="https://zionboggan.com/security-research-notebook/dragonfly-stream-restore-oom/">
<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="Authenticated DoS: Dragonfly Server Crash via Crafted Stream RESTORE Payload | Zion Boggan">
<meta name="twitter:description" content="Unbounded allocation in Dragonfly&amp;#x27;s stream RESTORE path.">
<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"Authenticated DoS: Dragonfly Server Crash via Crafted Stream RESTORE Payload","description":"Unbounded allocation in Dragonfly&amp;#x27;s stream RESTORE path.","url":"https://zionboggan.com/security-research-notebook/dragonfly-stream-restore-oom/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
</head><body>
<nav><div class="wrap">
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
  <span class="links"><a href="/#oversight">Oversight</a><a href="/#labs">Labs</a><a href="/#research">Research</a><a href="/security-research-notebook/">Notebook</a><a href="/">Home</a></span>
</div></nav>
<header class="hero detail-hero"><div class="wrap">
  <a class="back" href="/security-research-notebook/">&larr; Research notebook</a>
  <div class="kicker">DoS / OOM</div>
  <h1>Authenticated DoS: Dragonfly Server Crash via Crafted Stream RESTORE Payload</h1>
</div></header>
<section><div class="wrap"><div class="content">
<h2>Summary</h2>
<p>A vulnerability in Dragonfly&rsquo;s RDB deserialization allows an authenticated user to crash the server process by sending a single <code>RESTORE</code> command with a crafted stream payload. The vulnerability is caused by unbounded memory allocation in the stream consumer group deserialization path (<code>ReadStreams()</code> in <code>rdb_load.cc</code>), where attacker-controlled length values from the serialized payload are used directly in <code>std::vector::resize()</code> without any upper bound validation.</p>
<h2>Severity</h2>
<p><strong>P2, Server Availability</strong> (CVSS 7.5: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)</p>
<p>This is a denial-of-service vulnerability that crashes the entire Dragonfly server process, affecting all connected clients and all databases on the instance. On Aiven managed Dragonfly, every authenticated database user can trigger this.</p>
<h2>Vulnerability Details</h2>
<h3>Root Cause</h3>
<p>In <code>src/server/rdb_load.cc</code>, the <code>ReadStreams()</code> function deserializes stream data from RDB payloads (including <code>RESTORE</code> command input). Several length values are read from the attacker-controlled payload and used directly in memory allocation without upper bound checks:</p>
<p><strong>Location 1, Consumer group count (most direct)</strong>:</p>
<pre><code class="language-cpp">// rdb_load.cc, ReadStreams()
uint64_t cgroups_count;
SET_OR_UNEXPECT(LoadLen(nullptr), cgroups_count);
load_trace-&gt;stream_trace-&gt;cgroup.resize(cgroups_count);  // NO UPPER BOUND
</code></pre>
<p><strong>Location 2, PEL (Pending Entry List) size per group</strong>:</p>
<pre><code class="language-cpp">uint64_t pel_size;
SET_OR_UNEXPECT(LoadLen(nullptr), pel_size);
cgroup.pel_arr.resize(pel_size);  // NO UPPER BOUND
</code></pre>
<p><strong>Location 3, Consumer count per group</strong>:</p>
<pre><code class="language-cpp">uint64_t consumers_num;
SET_OR_UNEXPECT(LoadLen(nullptr), consumers_num);
cgroup.cons_arr.resize(consumers_num);  // NO UPPER BOUND
</code></pre>
<p><strong>Location 4, Per-consumer NACK array</strong>:</p>
<pre><code class="language-cpp">SET_OR_UNEXPECT(LoadLen(nullptr), pel_size);
consumer.nack_arr.resize(pel_size);  // NO UPPER BOUND
</code></pre>
<h3>Attack Path</h3>
<ol>
<li>Attacker authenticates to the Dragonfly instance (standard database credentials)</li>
<li>Attacker sends: <code>RESTORE key 0 &lt;crafted_payload&gt; REPLACE</code></li>
<li>The payload encodes <code>RDB_TYPE_STREAM_LISTPACKS_3</code> (type 21) with:, 1 valid stream node (passes initial validation), Valid stream metadata, Consumer groups count set to 1,073,741,824 (1 billion)</li>
<li><code>ReadStreams()</code> calls <code>cgroup.resize(1073741824)</code></li>
<li>Each <code>StreamCGTrace</code> is ~100 bytes → attempts to allocate ~100GB</li>
<li><code>std::vector::resize()</code> throws <code>std::bad_alloc</code></li>
<li>Exception is uncaught in the RESTORE command path → <code>std::terminate()</code> → process crash</li>
</ol>
<h3>Crash Mechanism</h3>
<p>The <code>RESTORE</code> command path (<code>GenericFamily::Restore()</code> → <code>OpRestore()</code> → <code>RdbRestoreValue::Add()</code> → <code>Parse()</code> → <code>ReadObj()</code> → <code>ReadStreams()</code>) does not wrap the deserialization in a try-catch block. When <code>std::bad_alloc</code> is thrown by the vector allocation, it propagates through the entire call chain and terminates the process.</p>
<h2>Proof of Concept</h2>
<h3>Environment</h3>
<ul>
<li>Dragonfly v1.37.2 (<code>docker.dragonflydb.io/dragonflydb/dragonfly:latest</code>)</li>
<li>Docker container on Linux host</li>
</ul>
<h3>Steps to Reproduce</h3>
<ol>
<li>Start Dragonfly:</li>
</ol>
<pre><code class="language-bash">docker run -d --name dragonfly-test -p 6379:6379 \
  docker.dragonflydb.io/dragonflydb/dragonfly:latest
</code></pre>
<ol start="2">
<li>Run the PoC script:</li>
</ol>
<pre><code class="language-bash">python3 poc_stream_oom.py --host 127.0.0.1 --port 6379
</code></pre>
<ol start="3">
<li>Observe: the Dragonfly process crashes and is no longer reachable.</li>
</ol>
<h3>PoC Script Output</h3>
<pre><code>[*] Building crafted stream RESTORE payload...
[*] Consumer group count: 1,073,741,824 (0x40000000)
[*] Payload size: 87 bytes
[+] Connected to server: df-v1.37.2
 
[!] Sending crafted RESTORE command...
[!] Key: __poc_crash_key__
[!] Expected result: server process crash (std::bad_alloc → terminate)
[?] Unexpected error: TimeoutError: Timeout reading from socket
 
[*] Checking if server is still alive...
[+] Server is NOT responding - crash confirmed!
</code></pre>
<h3>Impact Demonstration</h3>
<p>In our testing, the crafted payload with <code>cgroups_count = 4,294,967,296</code> (4 billion) not only crashed the Dragonfly process but triggered the Linux OOM killer, taking down the entire host system including SSH access. The host required several minutes to recover.</p>
<p><strong>On Aiven&rsquo;s managed infrastructure</strong>, this means a single authenticated database user could:
1. Crash their Dragonfly instance (immediate service disruption)
2. Potentially trigger OOM on shared infrastructure (affecting other tenants)
3. Repeat the attack on service restart for sustained DoS</p>
<h2>Affected Code</h2>
<ul>
<li><strong>File</strong>: <code>src/server/rdb_load.cc</code></li>
<li><strong>Function</strong>: <code>RdbLoaderBase::ReadStreams()</code></li>
<li><strong>Lines</strong>: Consumer group resize (~line 1690), PEL resize (~line 1710), consumer resize (~line 1720), NACK resize (~line 1740)</li>
<li><strong>Version</strong>: Confirmed on v1.37.2, likely affects all versions with stream support</li>
</ul>
<h2>Suggested Fix</h2>
<p>Add upper bound validation for all attacker-controlled length values before allocation:</p>
<pre><code class="language-cpp">// Before resize operations in ReadStreams:
constexpr uint64_t kMaxCGroups = 1 &lt;&lt; 20;      // 1M consumer groups
constexpr uint64_t kMaxPelSize = 1 &lt;&lt; 24;      // 16M PEL entries
constexpr uint64_t kMaxConsumers = 1 &lt;&lt; 20;    // 1M consumers
 
if (cgroups_count &gt; kMaxCGroups) {
    LOG(ERROR) &lt;&lt; &quot;Stream consumer group count too large: &quot; &lt;&lt; cgroups_count;
    return Unexpected(errc::rdb_file_corrupted);
}
load_trace-&gt;stream_trace-&gt;cgroup.resize(cgroups_count);
</code></pre>
<p>Additionally, consider wrapping the <code>RdbRestoreValue::Add()</code> path in a try-catch for <code>std::bad_alloc</code> to prevent any remaining unbounded allocation from crashing the process.</p>
<h2>References</h2>
<ul>
<li>Dragonfly source: https://github.com/dragonflydb/dragonfly</li>
<li>Similar class: CVE-2023-41056 (Redis RESTORE heap overflow), CVE-2023-41053 (Redis listpack integer overflow)</li>
<li>RDB format specification: https://rdb.fnordig.de/file_format.html</li>
</ul>
<h2>Proof of concept</h2>
<ul>
<li><a href="poc/dragonfly-stream-oom.py"><code>poc/dragonfly-stream-oom.py</code></a>, Stream RESTORE OOM crash.</li>
<li><a href="poc/dragonfly-cms-oom.py"><code>poc/dragonfly-cms-oom.py</code></a>, Count-Min-Sketch RESTORE OOM (related family).</li>
</ul>
<pre><code class="language-bash">python3 poc/dragonfly-stream-oom.py &lt;host&gt; &lt;port&gt; &lt;password&gt;
</code></pre>
<hr><p style="color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace">Source &middot; github.com/zionboggan/security-research-notebook &middot; writeups/aiven/dragonfly-stream-restore-oom.md</p>
</div></div></section>
<footer><div class="wrap row">
  <div class="links"><a href="/">Portfolio</a><a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a><a href="/security-research-notebook/">Notebook</a><a href="mailto:zionboggan0@gmail.com">Email</a></div>
  <div class="note">Coordinated-disclosure research. Findings appear here only after the program's disclosure window closed, the patch shipped, or a CVE was published. No customer data was accessed.</div>
</div></footer>
</body></html>