envoyproxy/envoy

[mongo_proxy]potential heap_buffer_overflow with untrusted buffer when onData()

Open

#12 708 ouverte le 18 août 2020

Voir sur GitHub
 (1 commentaire) (0 réactions) (0 assignés)C++ (5 373 forks)batch import
area/mongodbhelp wanted

Métriques du dépôt

Stars
 (27 997 stars)
Métriques de merge PR
 (Merge moyen 8j) (378 PRs mergées en 30 j)

Description

Since the docs of mongo_proxy shows it is still an alpha version and doesn't allow untrusted input now, I think it is not a security issue, so I post it here.

An invalid input/untrusted input can cause heap_buffer_overflow if the buffer contains a "string" which doesn't end with \0.

std::string BufferHelper::removeString(Buffer::Instance& data) {
  int32_t length = removeInt32(data);
  if (static_cast<uint32_t>(length) > data.length()) {
    throw EnvoyException("invalid buffer size");
  }

  char* start = reinterpret_cast<char*>(data.linearize(length));
  std::string ret(start);
  data.drain(length);
  return ret;
}

For example, in the failed test case, length=16 and start should be a string with length=16, however, if it doesn't end with \0, when executing std::string ret(start), there will be heap_buffer_overflow. A possible fix is to replace this line with std::string ret(start, length) which makes sure the length is explicitly specified.

(the code is here: https://github.com/envoyproxy/envoy/blob/master/source/extensions/filters/network/mongo_proxy/bson_impl.cc#L104)

The issue and test case can also be found here: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24961&sort=-opened&can=1&q=proj%3Aenvoy%20status%3DNew

Guide contributeur