Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3340

Appending a bson_value_t containing an empty binary payload may abort

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.16.0
    • Component/s: libbson
    • Labels:
      None

      Description

      As noted in CDRIVER-2569, bson_append_binary asserts the binary payload is not NULL (but it is okay to use a non-NULL address with a zero length, which could be obtained from malloc(0), though bson_malloc(0) does return a NULL).

      However, bson_value_copy on an empty binary payload will produce a value with a NULL payload, which means if we can retrieve an empty binary value, copy it, and then try appending that copy, we get an abort:

      bson_t bson = BSON_INITIALIZER;
      bson_value_t value, value_copy;
      /* iter points to an empty BSON binary value */
      value = bson_iter_value (&iter);
      bson_value_copy (&value, &value_copy);
      /* The following asserts since value_copy.value.v_binary.data is NULL */
      BSON_APPEND_VALUE (&value_copy, "key", &value_copy);
      

      Consider:

      • loosening the restriction and allowing NULL to be passed to bson_append_binary. bson_append_utf8 allows NULL (but appends it as a NULL type instead of as an empty UTF8 string)
      • changing bson_malloc to call the underlying allocator even for a zero length (which seems potentially dangerous, since users can override the allocator, and this would change how we're calling that allocator.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: