[CDRIVER-2455] Off by one error calculated required size with bson_append_regex Created: 08/Jan/18  Updated: 28/Oct/23  Resolved: 09/Jan/18

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: 1.9.0
Fix Version/s: 1.9.1

Type: Bug Priority: Major - P3
Reporter: Derick Rethans Assignee: Derick Rethans
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by PHPC-1067 BSON document produces driver segfault Closed
Related
related to CDRIVER-4421 Heap-Buffer-Overflow Bug Report, Fuzz... Closed

 Description   

When analysing PHPC-1067 I found an off-by-one error in bson_append_regex.

The calculation for the number of required bytes is off by one, since https://github.com/mongodb/libbson/commit/f9c179bb#diff-834e3eef392f29fc84e766ec869ff972L1533

The annotated calculation is:

    r =  _bson_append (bson,
        5, // Number of data elements to add
        (1 + key_length + 1 + regex_len + options_sorted->len), // bytes to add
        1,          // length of first element (BSON type, int8)
        &type,      // the BSON type
        key_length, // the length of the field name
        key,        // the field name (not 0-termined)
        1,          // the length of the ending 0 byte
        &gZero,     // the null 0 byte
        regex_len,  // the length of the regular expression (including 0 byte)
        regex,      // the regular expression with 0 byte
        options_sorted->len + 1, // the length of the sorted options, with 0 byte
        options_sorted->str);    // the sorted options, with 0 byte

If you compare (1 + key_length + 1 + regex_len + options_sorted->len) with the sum of all the length, you see it's missing 1 (the extra null of the options_sorted->len).

This can cause a out-of-bound write.



 Comments   
Comment by Githook User [ 09/Jan/18 ]

Author:

{'name': 'Derick Rethans', 'username': 'derickr', 'email': 'github@derickrethans.nl'}

Message: CDRIVER-2455 Fixed off-by-one error in BSON encoding of Regex
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/0d474e6f46784257b96e41642ba052140f456ba5

Comment by Derick Rethans [ 09/Jan/18 ]

https://github.com/mongodb/libbson/pull/216

Generated at Wed Feb 07 21:15:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.