Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-21122

Handle integer overflow in KMIP message parsing code

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 3.2.0-rc2
    • Affects Version/s: 3.2.0-rc0
    • Component/s: Security
    • Labels:
      None
    • Fully Compatible
    • ALL
    • Security A 10/09/15, Security B 10/30/15

      Parsing of KMIP strings (KMIPResponse::_parseString) contains an integer overflow that bypasses the protections provided by the ConstDataRangeCursor. 

      378   StatusWith<size_t> swTag = _parseTag(cdrc, tag, ItemType::textString, tagName);
379   if (!swTag.isOK()) {
380       return swTag.getStatus();
381   }
382   size_t len = swTag.getValue();

      This length can be very large (e.g., UINT_MAX). If length is 0xffffffffU, the following code will overflow allowing the advance to succeed.

      389    Status adv = cdrc->advance(len + (8 - (len % 8)) % 8);
390    if (!adv.isOK()) {
391        return adv;
392    }

      For len of 0xffffffffU, “len + (8 - (len % 8)) % 8” will result in 0. In this particular case, the conversion to std::string causes an exception.
      394 return std::string(data, len);

      This would only occur on systems where “sizeof(uint32_t) == sizeof(size_t)” due to advance taking in a size_t while the code uses uint32_t in the parsing.

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            andreas.nilsson Andreas Nilsson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: