envoyproxy/envoy

[mongo_proxy]potential heap_buffer_overflow with untrusted buffer when onData()

Open

#12.708 aberto em 18 de ago. de 2020

Ver no GitHub
 (1 comment) (0 reactions) (0 assignees)C++ (5.373 forks)batch import
area/mongodbhelp wanted

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

Since the docs of mongo_proxy shows it is still an alpha version and doesn't allow untrusted input now, I think it is not a security issue, so I post it here.

An invalid input/untrusted input can cause heap_buffer_overflow if the buffer contains a "string" which doesn't end with \0.

std::string BufferHelper::removeString(Buffer::Instance& data) {
  int32_t length = removeInt32(data);
  if (static_cast<uint32_t>(length) > data.length()) {
    throw EnvoyException("invalid buffer size");
  }

  char* start = reinterpret_cast<char*>(data.linearize(length));
  std::string ret(start);
  data.drain(length);
  return ret;
}

For example, in the failed test case, length=16 and start should be a string with length=16, however, if it doesn't end with \0, when executing std::string ret(start), there will be heap_buffer_overflow. A possible fix is to replace this line with std::string ret(start, length) which makes sure the length is explicitly specified.

(the code is here: https://github.com/envoyproxy/envoy/blob/master/source/extensions/filters/network/mongo_proxy/bson_impl.cc#L104)

The issue and test case can also be found here: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24961&sort=-opened&can=1&q=proj%3Aenvoy%20status%3DNew

Guia do colaborador