Attempting to demarshal message with array or string longer than its
body should return failure. Handling the length correctly is tricky when
it gets to near-UINT32_MAX values. Unexpected overflows can cause
crashes and other security issues.
These tests verify that demarshalling such message give
On pátek 17. srpna 2018 15:15:55 CEST Pekka Paalanen wrote:
> Hi Michal,
Hi,
Thank you for the reviews. I will work on the changes. Some answers below.
> > + 0x, 0xfffe, 0xfffd, 0xfffc,
> > + 0xf000, 0xd000, 0xc000, 0xb000
>
> What is the
The DIV_ROUNDUP macro would overflow when trying to round values higher
than MAX_UINT32 - (a - 1). The result is 0 after the division. This is
potential security issue when demarshalling an array because the length
check is performed with the overflowed value, but then the original huge
value is st
Attempting to demarshal message with array or string longer than its
body should return failure. Handling the length correctly is tricky when
it gets to near-UINT32_MAX values. Unexpected overflows can cause
crashes and other security issues.
These tests verify that demarshalling such message give
Hi,
Sorry for the long delay. I rewrote it using different method. IMO it is
cleaner now too.
There were two kinds of overflows - integer overflow when rounding the
length and pointer/integer overflow when adding the length to the `p`.
So I split it into two patches + one with tests.
Michal Srb
If the remote side sends sufficiently large `length` field, it will
overflow the `p` pointer. Technically it is undefined behavior, in
practice it makes `p < end`, so the length check passes. Attempts to
access the data later causes crashes.
This issue manifests only on 32bit systems, but the beha
-by: Michal Srb
---
Note that the problem happens only on 32bit systems.
src/connection.c| 19 +--
tests/connection-test.c | 46 ++
2 files changed, 63 insertions(+), 2 deletions(-)
diff --git a/src/connection.c b/src/connectio
