Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-41024

safeInt32 and safeInt64 IDL types are not safe for all numerical inputs, results in UB

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.1.14
    • Affects Version/s: None
    • Component/s: IDL
    • Labels:
    • Fully Compatible
    • ALL
    • Security 2019-05-20, Security 2019-06-03

      There are a handful of "basic types" provided by the IDL in basic_types.idl. Among these basic types are safeInt32 and safeInt64, which purport to convert any numerical BSON element (int, long, double, or decimal) into either a 32 bit signed integer or 64 bit signed integer. However, the deserializers for these types just call BSONElement::numberInt() and BSONElement::numberLong(), which do not implement a safe conversion from any double to an integer. In particular, a double which is too large to fit inside a long (or int) will result in undefined behavior.

      Any IDL-generated parser will therefore produce UB if provided unsanitized input containing a very large double. There are several uses of safeInt64 and safeInt32 in the code base which may be affected. For instance, the size parameter to the create command looks like it could result in UB if the client specified the value as a very large double.

            mark.benvenuto@mongodb.com Mark Benvenuto
            david.storch@mongodb.com David Storch
            0 Vote for this issue
            6 Start watching this issue