[CDRIVER-3340] Appending a bson_value_t containing an empty binary payload may abort Created: 27/Aug/19  Updated: 28/Oct/23  Resolved: 07/Jan/20

Status: Closed
Project: C Driver
Component/s: libbson
Affects Version/s: None
Fix Version/s: 1.16.0

Type: Bug Priority: Major - P3
Reporter: Kevin Albertson Assignee: Kevin Albertson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
causes MONGOCRYPT-22 libmongocrypt aborts on empty decrypt... Closed
Related
is related to CDRIVER-2569 Issues with empty binary value Closed

 Description   

As noted in CDRIVER-2569, bson_append_binary asserts the binary payload is not NULL (but it is okay to use a non-NULL address with a zero length, which could be obtained from malloc(0), though bson_malloc(0) does return a NULL).

However, bson_value_copy on an empty binary payload will produce a value with a NULL payload, which means if we can retrieve an empty binary value, copy it, and then try appending that copy, we get an abort:

bson_t bson = BSON_INITIALIZER;
bson_value_t value, value_copy;
/* iter points to an empty BSON binary value */
value = bson_iter_value (&iter);
bson_value_copy (&value, &value_copy);
/* The following asserts since value_copy.value.v_binary.data is NULL */
BSON_APPEND_VALUE (&value_copy, "key", &value_copy);

Consider:

  • loosening the restriction and allowing NULL to be passed to bson_append_binary. bson_append_utf8 allows NULL (but appends it as a NULL type instead of as an empty UTF8 string)
  • changing bson_malloc to call the underlying allocator even for a zero length (which seems potentially dangerous, since users can override the allocator, and this would change how we're calling that allocator.


 Comments   
Comment by Githook User [ 07/Jan/20 ]

Author:

{'name': 'Kevin Albertson', 'email': 'kevin.albertson@mongodb.com', 'username': 'kevinAlbs'}

Message: CDRIVER-3340 permit NULL as binary value to append

Copying a binary value with 0 length would result in a
bson_value_t with a NULL value for the binary data, causing
a crash if that copied value was appended. This was due to
bson_malloc returning NULL if allocating 0 bytes. So permit
NULL as a binary value to append.
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/204fb161f9115cdc957aced98c6daea260235013

Comment by Githook User [ 28/Aug/19 ]

Author:

{'email': 'kevin.albertson@mongodb.com', 'name': 'Kevin Albertson', 'username': 'kevinAlbs'}

Message: CDRIVER-3338 workaround CDRIVER-3340

Generated at Wed Feb 07 21:17:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.