Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-41024

safeInt32 and safeInt64 IDL types are not safe for all numerical inputs, results in UB

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 4.1.14
    • IDL
    • None
    • Fully Compatible
    • ALL
    • Security 2019-05-20, Security 2019-06-03

    Description

      There are a handful of "basic types" provided by the IDL in basic_types.idl. Among these basic types are safeInt32 and safeInt64, which purport to convert any numerical BSON element (int, long, double, or decimal) into either a 32 bit signed integer or 64 bit signed integer. However, the deserializers for these types just call BSONElement::numberInt() and BSONElement::numberLong(), which do not implement a safe conversion from any double to an integer. In particular, a double which is too large to fit inside a long (or int) will result in undefined behavior.

      Any IDL-generated parser will therefore produce UB if provided unsanitized input containing a very large double. There are several uses of safeInt64 and safeInt32 in the code base which may be affected. For instance, the size parameter to the create command looks like it could result in UB if the client specified the value as a very large double.

      Attachments

        Issue Links

          Activity

            People

              mark.benvenuto@mongodb.com Mark Benvenuto
              david.storch@mongodb.com David Storch
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: