[SERVER-13517] internal client should validate BSON responses Created: 08/Apr/14 Updated: 02/Sep/16 Resolved: 19/Aug/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Internal Client, Networking |
| Affects Version/s: | 2.2.7, 2.6.0 |
| Fix Version/s: | 3.3.12 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Benety Goh | Assignee: | Adam Chelminski (Inactive) |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Backwards Compatibility: | Fully Compatible | ||||
| Operating System: | ALL | ||||
| Sprint: | Platforms 2016-08-26 | ||||
| Participants: | |||||
| Linked BF Score: | 0 | ||||
| Description |
|
This was found on a 2.2 server but the defect still exists in master. The mongod was running a replica set heartbeat command against another node but received some corrupted BSON in the results. On closer inspection, it appears validateBSON is not called in this code path. Here's a demangled stack trace: ... [rsHealthPoll] Assertion: 10320:BSONElement: bad type -51 |
| Comments |
| Comment by Githook User [ 19/Aug/16 ] |
|
Author: {u'username': u'adamchel', u'name': u'Adam Chelminski', u'email': u'adam.chelminski@mongodb.com'}Message: |
| Comment by Githook User [ 15/Aug/16 ] |
|
Author: {u'username': u'adamchel', u'name': u'Adam Chelminski', u'email': u'adam.chelminski@mongodb.com'}Message: Revert " This reverts commit 0b2645558c9715128dceb524660b603e9d8532d6. |
| Comment by Githook User [ 15/Aug/16 ] |
|
Author: {u'username': u'adamchel', u'name': u'Adam Chelminski', u'email': u'adam.chelminski@mongodb.com'}Message: |
| Comment by Eric Milkie [ 12/Apr/16 ] |
|
I think William wanted my first option presented above, which is that the C++ driver validates incoming responses. As far as I know, the internal client does not do this today. |
| Comment by Ian Whalen (Inactive) [ 11/Apr/16 ] |
|
milkie since the last comment here have we added the hardening/validation that William was asking about? |
| Comment by William Zola [ 16/Apr/14 ] |
|
The issue here is that invalid incoming BSON from administrative commands (such as replication pings or the internal sharding commands) can cause the server to crash non-obviously. In an environment where the network silently corrupts the incoming BSON, this will cause the 'mongod' to crash. The request is to "harden" the server such that invalid or corrupt incoming BSON – no matter what the source – does not crash the 'mongod' or 'mongos'. |
| Comment by Benety Goh [ 09/Apr/14 ] |
|
The issue we observed in the logs is related to validating the response from the server. |
| Comment by Eric Milkie [ 08/Apr/14 ] |
|
Are you saying the C++ driver should validate the response from the server, or should the server validate outgoing responses? I'm not sure we should have either. Right now (2.4+) the server validates incoming BSON, but that wouldn't help in this situation. If you need data checking on your network links, one option is to use TLS, which will break the connection at a lower level reliably. Validating BSON as a substitute for parity checking won't catch many errors. |