envoyproxy/envoy

[kafka_broker] potential out of memory with untrusted buffer when onData()

Open

#12.687 geöffnet am 17. Aug. 2020

Auf GitHub ansehen
 (2 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)C++ (5.373 Forks)batch import
area/kafkahelp wanted

Repository-Metriken

Stars
 (27.997 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)

Beschreibung

Since documentation of kafka_broker shows it is still an alpha version, and only accept trusted data, I think this is not a security issue, so I post it here.

The ArrayDeserializer reads an integer from the buffer and uses it as the size of a new vector(variable name: required_): https://github.com/envoyproxy/envoy/blob/master/source/extensions/filters/network/kafka/serialization.h#L466

If the input is invalid or from untrusted downstream, it's possible that the length is very large(9999999) but actually the buffer size is only 20.

We may consider adding a constraint on the vector length(for example, not more than buffer.size()?) to avoid this bug.

The issue and test case can be found here: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24862&sort=-opened&can=1&q=proj%3Aenvoy%20status%3DNew

Contributor Guide