Heap Overflow in Axum with Mutual Tls
Heap Overflow in Axum with Mutual Tls — how this specific combination creates or exposes the vulnerability
A heap overflow occurs when a program writes more data to a buffer allocated on the heap than it can hold, corrupting adjacent memory. In Axum, a Rust web framework, using mutual TLS (mTLS) does not inherently introduce a heap overflow, but the combination can expose or amplify risks when unsafe code, unchecked message sizes, and mTLS handshake data interact. For example, if an Axum service uses a Rust crate that performs unchecked memory operations (e.g., raw pointer manipulation or unchecked array growth) while processing TLS handshake records or application data, an oversized payload from an mTLS client can overflow a heap-allocated buffer.
Specifically, mTLS requires both client and server to present certificates during the TLS handshake. Axum relies on the underlying Rustls or OpenSSL provider for TLS termination. If the application layer then reads request bodies or headers into fixed-size heap buffers without proper length validation—such as reading a JSON payload into a pre-allocated byte vector that does not resize safely—an attacker could send a deliberately large mTLS-authenticated request to trigger the overflow. This could corrupt the heap metadata, leading to crashes or potentially allowing an attacker to influence control flow. While Rust’s safety features reduce the likelihood, using unsafe blocks or integrating with C libraries for mTLS operations can reintroduce these risks.
Consider an endpoint that accepts file uploads over mTLS and stores them in a heap-allocated buffer without size checks:
use axum::{routing::post, Router};
use std::net::SocketAddr;
async fn upload_handler(body: String) -> String {
// Danger: no length validation on body
let mut buffer = vec![0u8; 1024]; // fixed-size heap buffer
let data = body.into_bytes();
buffer[..data.len()].copy_from_slice(&data); // potential overflow if data > 1024
"ok".to_string()
}
#[tokio::main]
async fn main() {
let app = Router::new().route("/upload", post(upload_handler));
let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
axum::Server::bind(&addr)
.https_only(true)
.tls_rustls(/* mTLS config */)
.serve(app.into_make_service())
.await
.unwrap();
}In this contrived example, if an mTLS-authenticated client sends a body larger than 1024 bytes, the copy overflows the heap buffer. Real-world crates may exhibit similar issues when integrating with TLS libraries that expose raw record sizes without proper bounds checking.
Because Axum is a safe framework, the heap overflow risk primarily arises from unsafe code, unchecked external inputs, or misconfigured TLS integrations. MiddleBrick’s scans can detect such issues by correlating unauthenticated behavior (e.g., large payload handling over mTLS) with patterns that suggest missing length validations, helping you identify where additional hardening is required.
Mutual Tls-Specific Remediation in Axum — concrete code fixes
To mitigate heap overflow risks in Axum with mutual TLS, focus on safe handling of incoming data, proper use of Rust’s type system, and secure mTLS configuration. Avoid unchecked buffer operations; prefer dynamic structures like Vec with controlled growth, and validate all input sizes before copying. Below are concrete, safe code examples.
1. Use safe, resizable buffers and validate lengths
Instead of fixed-size heap buffers, use Vec::with_capacity and extend safely, or simply work with String / Bytes directly:
use axum::{routing::post, Router};
use std::net::SocketAddr;
async fn upload_handler(body: String) -> String {
// Safe: work with the body directly; no fixed-size heap buffer
let data = body.into_bytes();
// Process data with bounds-checked operations
if data.len() > 1024 * 1024 { // enforce a sane max size
return "payload too large".to_string();
}
// Safe copy into a growable Vec
let mut buffer = Vec::with_capacity(data.len());
buffer.extend_from_slice(&data);
"ok".to_string()
}
#[tokio::main]
async fn main() {
let app = Router::new().route("/upload", post(upload_handler));
let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
axum::Server::bind(&addr)
.https_only(true)
.tls_rustls(/* mTLS config */)
.serve(app.into_make_service())
.await
.unwrap();
}This approach eliminates the fixed buffer overflow risk by relying on safe, resizable heap allocations and explicit size checks.
2. Configure mTLS safely with Rustls in Axum
Ensure your Axum server enforces client certificates and uses safe Rustls configuration. The following example shows how to set up mTLS without introducing unsafe blocks:
use axum::Router;
use std::net::SocketAddr;
use tokio_rustls::rustls::{ServerConfig, Certificate, PrivateKey};
use tokio_rustls::TlsAcceptor;
use std::sync::Arc;
async fn build_mtls_config() -> Arc<TlsAcceptor> {
// Load server certificate and key
let certs = vec![Certificate(vec![] /* load cert bytes */)];
let key = PrivateKey(vec![] /* load key bytes */);
let mut server_config = ServerConfig::builder()
.with_safe_defaults()
.with_no_client_auth() // we will require client auth
.with_single_cert(certs, key)
.expect("valid certificate and key");
// Require and verify client certificates
server_config.client_auth_root_subjects = /* trusted CA subject list */;
server_config.client_auth_mode = tokio_rustls::rustls::server::ClientAuthMode::Required;
Arc::new(TlsAcceptor::from(Arc::new(server_config)))
}
#[tokio::main]
async fn main() {
let app = Router::new().route("/", post(|| async { "ok" }));
let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
let tls_acceptor = build_mtls_config().await;
axum::Server::bind(&addr)
.tls_rustls(tls_acceptor)
.serve(app.into_make_service())
.await
.unwrap();
}This configuration ensures mutual authentication while avoiding unsafe memory practices. MiddleBrick can verify that your endpoints enforce mTLS and handle payloads safely, reducing the chance of heap-related issues.