[SERVER-21122] Handle integer overflow in KMIP message parsing code Created: 26/Oct/15  Updated: 04/Nov/15  Resolved: 30/Oct/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.2.0-rc0
Fix Version/s: 3.2.0-rc2

Type: Bug Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Security A 10/09/15, Security B 10/30/15
Participants:

 Description   

Parsing of KMIP strings (KMIPResponse::_parseString) contains an integer overflow that bypasses the protections provided by the ConstDataRangeCursor.

378   StatusWith<size_t> swTag = _parseTag(cdrc, tag, ItemType::textString, tagName);
379   if (!swTag.isOK()) {
380       return swTag.getStatus();
381   }
382   size_t len = swTag.getValue();

This length can be very large (e.g., UINT_MAX). If length is 0xffffffffU, the following code will overflow allowing the advance to succeed.

389    Status adv = cdrc->advance(len + (8 - (len % 8)) % 8);
390    if (!adv.isOK()) {
391        return adv;
392    }

For len of 0xffffffffU, “len + (8 - (len % 8)) % 8” will result in 0. In this particular case, the conversion to std::string causes an exception.
394 return std::string(data, len);

This would only occur on systems where “sizeof(uint32_t) == sizeof(size_t)” due to advance taking in a size_t while the code uses uint32_t in the parsing.



 Comments   
Comment by Githook User [ 30/Oct/15 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-21122 Fix integer overflow in KMIP response parsing
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/b3aef6bcf24d126eee8f417a9353d75261a0139d

Comment by Andreas Nilsson [ 26/Oct/15 ]

Given that there is a wire message size limit this is not exploitable in practice. However we should still address the issue to make the parsing code as resilient as possible.

Generated at Thu Feb 08 03:56:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.