Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix for CVE-2018-16790 -- Verify bounds before binary length read.
As reported here: https://jira.mongodb.org/browse/CDRIVER-2819,
a heap overread occurs due a failure to correctly verify data
bounds.

In the original check, len - o returns the data left including the
sizeof(l) we just read. Instead, the comparison should check
against the data left NOT including the binary int32, i.e. just
subtype (byte*) instead of int32 subtype (byte*).

Added in test for corrupted BSON example.
  • Loading branch information
Scott Gayou authored and ajdavis committed Sep 17, 2018
1 parent 47d0f7e commit 0d9a4d9
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 1 deletion.
2 changes: 1 addition & 1 deletion src/libbson/src/bson/bson-iter.c
Expand Up @@ -618,7 +618,7 @@ _bson_iter_next_internal (bson_iter_t *iter, /* INOUT */
memcpy (&l, iter->raw + iter->d1, sizeof (l));
l = BSON_UINT32_FROM_LE (l);

if (l >= (len - o)) {
if (l >= (len - o - 4)) {
iter->err_off = o;
goto mark_invalid;
}
Expand Down
Binary file added src/libbson/tests/binary/test59.bson
Binary file not shown.
5 changes: 5 additions & 0 deletions src/libbson/tests/test-bson.c
Expand Up @@ -1249,6 +1249,11 @@ test_bson_validate (void)
12,
BSON_VALIDATE_NONE,
"corrupt BSON");
VALIDATE_TEST ("test59.bson",
BSON_VALIDATE_NONE,
9,
BSON_VALIDATE_NONE,
"corrupt BSON");

/* DBRef validation */
b = BCON_NEW ("my_dbref",
Expand Down

0 comments on commit 0d9a4d9

Please sign in to comment.