Fix out-of-bounds access in xrow_header_decode() and request_decode()

Fixes TALOS-2016-0255 Fixes CVE-2016-9037 Fixes #1992
tarantool · Dec 15, 2016 · 6dff383 · 6dff383
1 parent feb8ff9
commit 6dff383
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/src/box/request.cc b/src/box/request.cc
@@ -70,13 +70,13 @@ request_decode(struct request *request, const char *data, uint32_t len)
 			mp_check(&data, end);
 			continue;
 		}
-		unsigned char key = mp_decode_uint(&data);
-		key_map &= ~iproto_key_bit(key);
+		uint64_t key = mp_decode_uint(&data);
 		const char *value = data;
-		if (mp_check(&data, end))
-			goto error;
-		if (iproto_key_type[key] != mp_typeof(*value))
+		if (mp_check(&data, end) != 0 ||
+		    key >= IPROTO_KEY_MAX ||
+		    iproto_key_type[key] != mp_typeof(*value))
 			goto error;
+		key_map &= ~iproto_key_bit(key);
 		switch (key) {
 		case IPROTO_SPACE_ID:
 			request->space_id = mp_decode_uint(&value);

diff --git a/src/box/xrow.cc b/src/box/xrow.cc
@@ -60,8 +60,9 @@ xrow_header_decode(struct xrow_header *header, const char **pos,
 	for (uint32_t i = 0; i < size; i++) {
 		if (mp_typeof(**pos) != MP_UINT)
 			goto error;
-		unsigned char key = mp_decode_uint(pos);
-		if (iproto_key_type[key] != mp_typeof(**pos))
+		uint64_t key = mp_decode_uint(pos);
+		if (key >= IPROTO_KEY_MAX ||
+		    iproto_key_type[key] != mp_typeof(**pos))
 			goto error;
 		switch (key) {
 		case IPROTO_REQUEST_TYPE: