Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2401

Handle UTF-8 multibyte NIL in bson_utf8_validate, and UTF-8 validate URI strings before parsing

    XMLWordPrintableJSON

Details

    Description

      Bugs

      Three minor issues if you feed the following PoCs into the "mongoc_uri_new" function.

      This was against:
      https://github.com/mongodb/mongo-c-driver/releases/download/1.8.2/mongo-c-driver-1.8.2.tar.gz

      With ASAN on.

      This is the script I used for testing:
      https://gist.github.com/c0nrad/760fd1d34e39b7ed8f4442c622c90160

      scan_to_unichar

      READ of size 1
      #7 0x000000000041c2ec in scan_to_unichar (terminators=<optimized out>, end=<synthetic pointer>, match=64, str=0x60200000ec50 "\350\003") at src/mongoc/mongoc-uri.c:159
      PoC
      0000000 6f6d 676e 646f 3a62 2f2f 03e8 0000 686c
      0000010 736f 3a74 3732 3130 2f37 6574 7473 723f
      0000020 7065 696c 6163 6573 3d74 6f66 006f
      000002d

      bson_utf8_get_char

      READ of size 1
      #7 0x00000000004763db in bson_utf8_get_char (utf8=utf8@entry=0x60200000ec30 "\372") at src/bson/bson-utf8.c:367
      PoC:
      0000000 6f6d 676e 646f 3a62 2f2f 00fa fa00 686c
      0000010 736f 3a74 3732 3130 2f37 6574 7473 723f
      0000020 7065 696c 6163 6573 3d74 6f66 006f
      000002d

      bson_string_append_unichar

      precondition failed: unichar
      #2 0x0000000000471ed2 in bson_string_append_unichar (string=string@entry=0x60200000ebf0, unichar=<optimized out>) at src/bson/bson-string.c:232
      #3 0x0000000000412529 in mongoc_uri_unescape (escaped_string=escaped_string@entry=0x60200000ec10 "loca01te\332\213\300\200") at src/mongoc/mongoc-uri.c:1683
      #4 0x0000000000412eff in mongoc_uri_do_unescape (str=<synthetic pointer>) at src/mongoc/mongoc-uri.c:76
      #5 mongoc_uri_parse_host (uri=<optimized out>, str=<optimized out>, downcase=<optimized out>) at src/mongoc/mongoc-uri.c:367
      PoC:
      0000000 6f6d 676e 646f 3a62 2f2f 6f6c 6163 3130
      0000010 6574 8bda 80c0 ff00 31ff 6574 8bda 8dc0
      0000020 4063 6573 3d74 6f66 7361 0073
      000002b

      Attachments

        Issue Links

          Activity

            People

              jesse@mongodb.com A. Jesse Jiryu Davis
              stuart.larsen@mongodb.com Stuart Larsen (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: