[mongo_proxy]potential heap_buffer_overflow with untrusted buffer when onData()
#12.708 aberto em 18 de ago. de 2020
Métricas do repositório
- Stars
- (27.997 stars)
- Métricas de merge de PR
- (Mesclagem média 8d) (378 fundiu PRs em 30d)
Description
Since the docs of mongo_proxy shows it is still an alpha version and doesn't allow untrusted input now, I think it is not a security issue, so I post it here.
An invalid input/untrusted input can cause heap_buffer_overflow if the buffer contains a "string" which doesn't end with \0.
std::string BufferHelper::removeString(Buffer::Instance& data) {
int32_t length = removeInt32(data);
if (static_cast<uint32_t>(length) > data.length()) {
throw EnvoyException("invalid buffer size");
}
char* start = reinterpret_cast<char*>(data.linearize(length));
std::string ret(start);
data.drain(length);
return ret;
}
For example, in the failed test case, length=16 and start should be a string with length=16, however, if it doesn't end with \0, when executing std::string ret(start), there will be heap_buffer_overflow.
A possible fix is to replace this line with std::string ret(start, length) which makes sure the length is explicitly specified.
(the code is here: https://github.com/envoyproxy/envoy/blob/master/source/extensions/filters/network/mongo_proxy/bson_impl.cc#L104)
The issue and test case can also be found here: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24961&sort=-opened&can=1&q=proj%3Aenvoy%20status%3DNew