[SERVER-27209] BSONObj::getStringField() does not handle embedded null bytes correctly Created: 29/Nov/16 Updated: 05/Jun/22 Resolved: 13/Jan/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 5.3.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Marko Vojvodic | Assignee: | Matt Kneiser |
| Resolution: | Done | Votes: | 0 |
| Labels: | bson, neweng, techdebt | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Minor Change | ||||||||
| Operating System: | ALL | ||||||||
| Sprint: | Execution Team 2021-11-29, Execution Team 2021-12-13, Execution Team 2021-12-27, Execution Team 2022-01-10, Execution Team 2022-01-24 | ||||||||
| Participants: | |||||||||
| Linked BF Score: | 129 | ||||||||
| Description |
|
A BSONElement of type String has a pointer + length implementation and therefore may contain an embedded null byte. BSONObj::getStringField uses valuestr in its implementation, which can lead us to incorrectly interpret the string as null terminated. |
| Comments |
| Comment by Githook User [ 13/Jan/22 ] |
|
Author: {'name': 'Matt Kneiser', 'email': 'matt.kneiser@mongodb.com', 'username': 'themattman'}Message:
|
| Comment by Githook User [ 13/Jan/22 ] |
|
Author: {'name': 'Matt Kneiser', 'email': 'matt.kneiser@mongodb.com', 'username': 'themattman'}Message:
Related PR in server repo: [SERVER-27209 Eliminate dangerous BSONElement string extraction methods](https://github.com/10gen/mongo/pull/2579) |
| Comment by David Storch [ 29/Nov/16 ] |
|
BSONElement::valuestr() should probably go away entirely, although a quick grep suggests that there are currently about 180 callers. |