envoyproxy/envoy

[redis_proxy] potential out of memory/ with untrusted buffer when onData()

Open

#12.689 geöffnet am 17. Aug. 2020

Auf GitHub ansehen
 (1 Kommentar) (0 Reaktionen) (0 zugewiesene Personen)C++ (5.373 Forks)batch import
area/redishelp wanted

Repository-Metriken

Stars
 (27.997 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)

Beschreibung

Since documentation of redis_proxy shows it is only accepts trusted data now, I think this is not a security issue, so I post it here.

In the decoder of redis_proxy filter, it reads an integer from the buffer and constructs a vector with size equal to it(pending_integer_.integer_). https://github.com/envoyproxy/envoy/blob/master/source/extensions/filters/network/common/redis/codec_impl.cc#L442

Untrusted buffer containing a very large integer here(as the size of the vector) may lead to out of memory or uncaught length_error exception.

We may consider adding a constraint on the vector length(for example, not more than buffer.size()?) to avoid this bug.

The issue and test case can be found here: https://oss-fuzz.com/testcase-detail/5663259240431616

Contributor Guide