ftp_range: avoid integer overflow when figuring out byte range #2205

Closed
wants to merge 3 commits into
from

Conversation

Projects
None yet
3 participants
@cmeister2
Contributor

cmeister2 commented Dec 31, 2017

When trying to bump the value with one and the value is already at max,
it causes an integer overflow.

Detected by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4853

@cmeister2

This comment has been minimized.

Show comment Hide comment
@cmeister2

cmeister2 Jan 2, 2018

Contributor

Travis issues are CI related and not code related.

Contributor

cmeister2 commented Jan 2, 2018

Travis issues are CI related and not code related.

lib/ftp.c
- data->req.maxdownload = (to - from) + 1; /* include last byte */
+ totalsize = to-from;
+ if(totalsize == CURL_OFF_T_MAX)
+ /* this is too big to increase, so bail out */

This comment has been minimized.

Show comment Hide comment
@jay

jay Jan 4, 2018

Owner

I would get rid of this comment it's implied. also you can declare totalsize in this block. also since we're here this could use a check to make sure from <= to

@jay

jay Jan 4, 2018

Owner

I would get rid of this comment it's implied. also you can declare totalsize in this block. also since we're here this could use a check to make sure from <= to

This comment has been minimized.

Show comment Hide comment
@cmeister2

cmeister2 Jan 4, 2018

Contributor

This code is basically a copy of the code from https://github.com/curl/curl/blob/master/lib/file.c#L166 that @bagder wrote; should we be updating both places?

@cmeister2

cmeister2 Jan 4, 2018

Contributor

This code is basically a copy of the code from https://github.com/curl/curl/blob/master/lib/file.c#L166 that @bagder wrote; should we be updating both places?

This comment has been minimized.

Show comment Hide comment
@bagder

bagder Jan 4, 2018

Owner

We could, but I'd rather not lump a change of file.c into this fix as it isn't really related to this FTP range integer overflow...

@bagder

bagder Jan 4, 2018

Owner

We could, but I'd rather not lump a change of file.c into this fix as it isn't really related to this FTP range integer overflow...

This comment has been minimized.

Show comment Hide comment
@cmeister2

cmeister2 Jan 15, 2018

Contributor

The reason I ask is that you made a change to file_range to fix a bug, file_range has the comment

 /*
  Check if this is a range download, and if so, set the internal variables
  properly. This code is copied from the FTP implementation and might as
  well be factored out.
 */

and the ftp_range function still has the issue. So my assumption is that any fixes (or markups) that need to be made in one place should be made in the other as well.

@cmeister2

cmeister2 Jan 15, 2018

Contributor

The reason I ask is that you made a change to file_range to fix a bug, file_range has the comment

 /*
  Check if this is a range download, and if so, set the internal variables
  properly. This code is copied from the FTP implementation and might as
  well be factored out.
 */

and the ftp_range function still has the issue. So my assumption is that any fixes (or markups) that need to be made in one place should be made in the other as well.

This comment has been minimized.

Show comment Hide comment
@bagder

bagder Jan 15, 2018

Owner

Let's turn file_range() into Curl_range() and make both the FILE and FTP code use it.

The only difference I can spot is that ftp_range() sets ftpc->dont_check = TRUE when a range has been set, so we should make sure to set that separately.

What do you think?

@bagder

bagder Jan 15, 2018

Owner

Let's turn file_range() into Curl_range() and make both the FILE and FTP code use it.

The only difference I can spot is that ftp_range() sets ftpc->dont_check = TRUE when a range has been set, so we should make sure to set that separately.

What do you think?

This comment has been minimized.

Show comment Hide comment
@cmeister2

cmeister2 Jan 15, 2018

Contributor

Happy with that. Do you want to run with that or shall I?

@cmeister2

cmeister2 Jan 15, 2018

Contributor

Happy with that. Do you want to run with that or shall I?

This comment has been minimized.

Show comment Hide comment
@bagder

bagder Jan 15, 2018

Owner

Please go ahead, I have a few other tasks to work on anyway! =)

@bagder

bagder Jan 15, 2018

Owner

Please go ahead, I have a few other tasks to work on anyway! =)

lib/curl_range.c
+#if !defined(CURL_DISABLE_FTP) && !defined(CURL_DISABLE_FILE)
+
+/*
+ * Curl_memrchr()

This comment has been minimized.

Show comment Hide comment
@cmeister2

cmeister2 Jan 29, 2018

Contributor

Sigh. todo: remove this

@cmeister2

cmeister2 Jan 29, 2018

Contributor

Sigh. todo: remove this

lib/curl_range.c
+
+ /*
+ Check if this is a range download, and if so, set the internal variables
+ properly. This code is copied from the FTP implementation and might as

This comment has been minimized.

Show comment Hide comment
@cmeister2

cmeister2 Jan 29, 2018

Contributor

And update this description...

@cmeister2

cmeister2 Jan 29, 2018

Contributor

And update this description...

@cmeister2

This comment has been minimized.

Show comment Hide comment
@cmeister2

cmeister2 Jan 29, 2018

Contributor

Build looks fine apart from the MacOS failures which are known about.

Contributor

cmeister2 commented Jan 29, 2018

Build looks fine apart from the MacOS failures which are known about.

cmeister2 added some commits Jan 29, 2018

lib/file.c
@@ -514,7 +456,7 @@ static CURLcode file_do(struct connectdata *conn, bool *done)
}
/* Check whether file range has been specified */
- file_range(conn);
+ Curl_range(conn);

This comment has been minimized.

Show comment Hide comment
@bagder

bagder Jan 30, 2018

Owner

check return code?

@bagder

bagder Jan 30, 2018

Owner

check return code?

@bagder

bagder approved these changes Jan 30, 2018

@bagder

This comment has been minimized.

Show comment Hide comment
@bagder

bagder Jan 30, 2018

Owner

Hm, I'm not sure how github interpreted that but I think there should be a check of the return code but otherwise the change looks good!

Owner

bagder commented Jan 30, 2018

Hm, I'm not sure how github interpreted that but I think there should be a check of the return code but otherwise the change looks good!

@cmeister2

This comment has been minimized.

Show comment Hide comment
@cmeister2

cmeister2 Jan 30, 2018

Contributor

https://github.com/curl/curl/blob/master/lib/file.c#L517 in master doesn't do this check; is this something new that should be done?

Contributor

cmeister2 commented Jan 30, 2018

https://github.com/curl/curl/blob/master/lib/file.c#L517 in master doesn't do this check; is this something new that should be done?

@bagder

This comment has been minimized.

Show comment Hide comment
@bagder

bagder Jan 30, 2018

Owner

It's not new, but that's a flaw we can just as well correct while fixing up this code I think.

Owner

bagder commented Jan 30, 2018

It's not new, but that's a flaw we can just as well correct while fixing up this code I think.

@cmeister2

This comment has been minimized.

Show comment Hide comment
@cmeister2

cmeister2 Jan 30, 2018

Contributor

What's the desired behaviour on checking the return code? Anything other than CURLE_OK is a failure and should stop the transfer?

Contributor

cmeister2 commented Jan 30, 2018

What's the desired behaviour on checking the return code? Anything other than CURLE_OK is a failure and should stop the transfer?

@bagder

This comment has been minimized.

Show comment Hide comment
@bagder

bagder Jan 30, 2018

Owner

Right, the common pattern is to just:

   result = Curl_range(....);
   if(result)
     return result;
Owner

bagder commented Jan 30, 2018

Right, the common pattern is to just:

   result = Curl_range(....);
   if(result)
     return result;
@cmeister2

This comment has been minimized.

Show comment Hide comment
@cmeister2

cmeister2 Jan 30, 2018

Contributor

Ok, done - hope that passes the tests!

Contributor

cmeister2 commented Jan 30, 2018

Ok, done - hope that passes the tests!

@bagder

bagder approved these changes Jan 30, 2018

@bagder

This comment has been minimized.

Show comment Hide comment
@bagder

bagder Jan 30, 2018

Owner

thanks!

Owner

bagder commented Jan 30, 2018

thanks!

@bagder bagder closed this in e04417d Jan 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment