Comment 2 for bug 1872560
Revision history for this message
| Seong-Joong Kim (sungjungk) wrote Re: heap-based buffer overflow in bson.c | #2 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I also suggest a solution to deal with it in a different way.
Motivation
A heap-based buffer overflow can occur when an integer overflow happens on a ‘bytesNeeded’ variable.
The followings are required to cause overflow on ‘bytesNeeded’.
- length of ‘value’ in .crash file => 0 < {length of ‘value’} < 1024
- length of ‘key’ in .crash file => UINT32_MAX - {length of ‘value’} - 7 < {length of ‘key’}
To deal with it, it is required the following exception handling after line 663 in bson.c
if (len > UINT32_MAX - dataSize - 1)
return BSON_ERROR;
Unfortunately, ‘len’ variable can also occur an integer overflow and it leads to unintended consequences.
To correct the above issues, the following exception handling will be better than the above one.
if (len > INT32_MAX)
return BSON_ERROR;
It is reasonable to assume that the length of 'key' in .crash will not exceed INT32_MAX.
Modification
Correct the above issue.
Correctly added exception handling against overflow.