-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clif: After incrementing pos, make sure it is still in bounds #15945
Conversation
While the for-loop condition does contain a bounds check, the pointer is independently increment in the for-loop body. This increment therefore requires a separate bounds check. Otherwise, the parsing loop may access data outside the given buffer boundaries.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @nmeum for the fix! Just a couple of comments
@@ -278,7 +278,9 @@ ssize_t clif_get_attr(const char *input, size_t input_len, clif_attr_t *attr) | |||
attr->key_len = pos - attr->key; | |||
/* check if the value is quoted and prepare pointer for value scan */ | |||
pos++; | |||
if (*pos == '"') { | |||
if (pos == end) | |||
break; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it gets to this condition, it would be a malformed attribute right? (e.g. foo=
)
break; | |
return CLIF_NOT_FOUND; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, but what about foo="
? That doesn't seem to return CLIF_NOT_FOUND
either at the moment or am I missing something here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, we should check for that, and also a possible foo="ba
I guess, and return CLIF_NOT_FOUND
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, maybe it makes sense to implement this separately? The changes I propose here handle foo=
in the same way as foo="
is handled presently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. Could you add your proposed test to the unit test application?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Keep in mind though that the tests are not run with ASAN enabled. So even if this bug would be reintroduced they would not necessarily detect it.
799a002
to
767e700
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK.
Contribution description
While the for-loop condition does contain a bounds check, the pointer is independently increment in the for-loop body. This increment therefore requires a separate bounds check. Otherwise, the parsing loop may access data outside the given buffer boundaries.
Testing procedure
Sample application code:
Minimal
Makefile
:Invoke as:
With this patch applied, no error is reported.
Issues/PRs references
None.