Component
RPC / Tracker
Description
TCPEventHandler.on_message in python/tvm/rpc/tracker.py reads _msg_size from the wire as a signed int32 with no upper bound, then appends every subsequent socket read to self._data until len(self._data) >= self._msg_size + 4. A single TCP connection sending a 4-byte size header of 0x7FFFFFFF followed by a stream of bytes grows the buffer until the tracker process OOMs.
A second variant: if the wire size decodes to 0, the inner if self._msg_size == 0 branch peeks at _data[:4] but never consumes those bytes; subsequent appends grow _data indefinitely.
This is a robustness defect, not a security vulnerability: the TVM security model (https://tvm.apache.org/docs/reference/security.html) states the RPC subsystem is to be deployed only on trusted networks and grants full RCE to any reachable client by design. Filing per Apache security team guidance (private security@ thread, 2026-05-17) as a regular issue rather than an advisory.
Reproduction
Reproduced on commit 4b93f20 (v0.25.dev0). Server RSS climbs 1:1 with bytes sent over a single connection after the magic handshake.
Proposed fix
Add MAX_TRACKER_MSG_BYTES = 1 << 20 constant; reject _msg_size outside (0, MAX_TRACKER_MSG_BYTES] and close the connection. Consume the 4-byte size header on read so the payload-complete branch operates on payload bytes only.
PR follows.
Component
RPC / Tracker
Description
TCPEventHandler.on_messageinpython/tvm/rpc/tracker.pyreads_msg_sizefrom the wire as a signed int32 with no upper bound, then appends every subsequent socket read toself._datauntillen(self._data) >= self._msg_size + 4. A single TCP connection sending a 4-byte size header of0x7FFFFFFFfollowed by a stream of bytes grows the buffer until the tracker process OOMs.A second variant: if the wire size decodes to 0, the inner
if self._msg_size == 0branch peeks at_data[:4]but never consumes those bytes; subsequent appends grow_dataindefinitely.This is a robustness defect, not a security vulnerability: the TVM security model (https://tvm.apache.org/docs/reference/security.html) states the RPC subsystem is to be deployed only on trusted networks and grants full RCE to any reachable client by design. Filing per Apache security team guidance (private security@ thread, 2026-05-17) as a regular issue rather than an advisory.
Reproduction
Reproduced on commit 4b93f20 (v0.25.dev0). Server RSS climbs 1:1 with bytes sent over a single connection after the magic handshake.
Proposed fix
Add
MAX_TRACKER_MSG_BYTES = 1 << 20constant; reject_msg_sizeoutside(0, MAX_TRACKER_MSG_BYTES]and close the connection. Consume the 4-byte size header on read so the payload-complete branch operates on payload bytes only.PR follows.