[MONGOCRYPT-568] Undefined behavior in _mongocrypt_buffer_copy_from_data_and_size when len == 0u Created: 06/Apr/23  Updated: 28/Oct/23  Resolved: 06/Apr/23

Status: Closed
Project: Libmongocrypt
Component/s: None
Affects Version/s: None
Fix Version/s: 1.8.0, 1.8.0-alpha1

Type: Bug Priority: Unknown
Reporter: Ezra Chung Assignee: Ezra Chung
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to MONGOCRYPT-550 Add support for encryption/decryption... Closed

 Description   

_mongocrypt_buffer_copy_from_data_and_size(buf, data, len) permits len == 0u as long as data != NULL, such as in _mc_FLE2UnindexedEncryptedValueCommon_parse when mc_reader_get_remaining_length returns 0u.

Invoking bson_malloc(0u) returns a NULL pointer which is immediately passed to memcpy(s1, s2, n) as s1, which may trigger the following UBSAN error:

./src/mongocrypt-buffer.c:498:12: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ./src/mongocrypt-buffer.c:498:12 in

The undefined behavior is specified as the following:

Where an argument declared as size_t n specifies the length of the array for a function, n can have the value zero on a call to that function. Unless explicitly stated otherwise in the description of a particular function in this subclause, pointer arguments on such a call shall still have valid values, as described in 7.1.4.

where in 7.1.4 it states:

If an argument to a function has an invalid value (such as [...] a null pointer [...]) the behavior is undefined.

The specification for memcpy does not explicitly state any exceptions, thus passing NULL as s1 is considered UB.



 Comments   
Comment by Githook User [ 06/Apr/23 ]

Author:

{'name': 'Ezra Chung', 'email': '88335979+eramongodb@users.noreply.github.com', 'username': 'eramongodb'}

Message: MONGOCRYPT-568 Avoid calling memcpy with NULL argument in _mongocrypt_buffer_copy_from_data_and_size (#613)
Branch: master
https://github.com/mongodb/libmongocrypt/commit/dc2c7e6433eb46f119e5079c788fda3e3f50a1dc

Comment by Cloud GitHub Webhooks [ 06/Apr/23 ]

eramongodb merged a pull request (MONGOCRYPT-568 Avoid calling memcpy with NULL argument in _mongocrypt_buffer_copy_from_data_and_size) into the following branch:
master: dc2c7e6433eb46f119e5079c788fda3e3f50a1dc

Generated at Thu Feb 08 09:08:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.