### Impact

**Versions impacted**
* `=` [email protected]
* `>=` [email protected]

**Description of user-facing changes**

***[email protected]*** imposes a fixed maximum header length and section length of 32 MiB during decode. Headers exceeding this length will cause the decoder to return an error as the initial CAR decode occurs. Sections (the combination of CID and block data) exceeding this length will cause the decoder to return an error as that section is read.

The default maximum of 32 MiB may be changed _globally_ in an application instance by directly changing the `MaxAllowedSectionSize` variable in the `github.com/ipld/go-car/util` package.

We recommend that users of go-car@v0 upgrade to go-car@v2, where these maximums may be applied per-decode rather than globally.

***[email protected]*** imposes a default maximum header length of 32 MiB and a default maximum section length of 8 MiB. Headers exceeding this length will cause the decoder to return an error as the initial CAR decode occurs. Sections (the combination of CID and block data) exceeding this length will cause the decoder to return an error as that section is read.

The default values may be adjusted by supplying a `MaxAllowedHeaderSize(x)` or `MaxAllowedSectionSize(y)` option to any decode function that accepts options. These include:

* `OpenReader()`
* `NewReader()`
* `NewBlockReader()`
* `ReadVersion()`
* `LoadIndex()`
* `GenerateIndex()`
* `ReadOrGenerateIndex()`
* `WrapV1()`
* `ExtractV1File()`
* `ReplaceRootsInFile()`
* `blockstore/NewBlockReader()`
* `blockstore/NewReadOnly()`
* `blockstore/OpenReadOnly()`
* `blockstore/OpenReadWrite()`

Please be aware that the default values are **very generous** and may be lowered where a user wants to impose restrictions closer to typical sizes.

* Typical header lengths should be in the order of 60 bytes, but the CAR format does not specify a maximum number of roots a header may contain. The default maximum of 32 MiB makes room for novel uses of the CAR format.
* Typical IPLD block sizes are under 2 MiB, and it is generally recommended that they not be above 1 MiB for maximum interoperability (e.g. there are hard limitations when sharing IPLD data with IPFS). CARv1 sections are the concatenation of CID and block bytes. The default maximum section length of 8 MiB makes room for novel IPLD data.

***[email protected]*** introduces a new API that can be used to inspect a CAR and check for various errors, including those detailed in this advisory. The `Reader#Inspect(bool)` API returns a `Stats` object with various details about the CAR, such as its version, number of blocks, and details about codecs and multihashers used. When its argument is `true`, it will also perform a full hash consistency check of blocks contained within the CAR to ensure they match the CIDs. When `false`, block data is skipped over so a scan will likely be more efficient than reading blocks through a `BlockReader` if statistics and/or validity checking is all that’s required. Note that `Inspect()` does minimal checking of index data; the strong recommendation is that if index data is untrusted then it should be regenerated.

***[email protected]*** also includes additional documentation regarding the dangers of consuming CARv2 index data from untrusted sources and a recommendation to regenerate indexes of CAR data from such sources where an index is required.

### Workarounds

There are no workarounds for vulnerabilities in impacted versions decoding CARv1 data. Users of impacted versions should avoid accepting CAR data from untrusted sources.

OOM or excessive memory usage vulnerabilities resulting from CARv2 index parsing in impacted versions can be avoided by not reading indexes from CARv2 data from untrusted sources.

### References

Details on the CARv1 and CARv2 formats, including the composition of CARv1 headers and sections, and CARv2 indexes can be found in the CAR format specifications: https://ipld.io/specs/transport/car/

### For more information

If you have any questions or comments about this advisory please open an issue in [go-car](https://github.com/ipld/go-car).Read More