Possible Illegal read memory access in APIv2 when sending malformed request

[0xricksanchez]

Hi,

I've been auditing the API Endpoints in the context broker and I've come across some results that are likely of interest to you! I've been using a slightly modified version (added ASAN to Makefile) of the Docker container when using my tooling for robustness tests of the API endpoints.

Sending malformed JSON entities to the context.Orion_LD (compiled with an Address Sanitizer) V2 API can result in an illegal read memory access.
The problem seems to be in the homebrew json parser when trying to parse the 'children of the node' in /opt/fiware-orion/src/lib/jsonParseV2/parseContextAttributeCompoundValue.cpp:270.
In this particular case type compound value was classified as an array (/opt/fiware-orion/src/lib/jsonParseV2/parseContextAttributeCompoundValue.cpp:229):

/* ****************************************************************************
*
* parseContextAttributeCompoundValue -
*/
std::string parseContextAttributeCompoundValue
(
  const rapidjson::Value::ConstMemberIterator&  node,
  ContextAttribute*                             caP,
  orion::CompoundValueNode*                     parent
)
{
[...]
//
  // Children of the node
  //
  if (type == "Array")      <---------------
  {
    int counter  = 0;
[...]
}

Crash back trace:

orion_1  | time=Monday 02 Dec 17:22:13 2019.510Z | lvl=WARN | corr=47c3abac-1528-11ea-b3d5-0242ac110003 | trans=1575296018-231-00000021522 | from=172.17.0.1 | srv=<none> | subsrv=<none> | comp=Orion | op=AlarmManager.cpp[432]:badInputReset | msg=Releasing alarm BadInput 172.17.0.1
orion_1  | ASAN:DEADLYSIGNAL
orion_1  | =================================================================
orion_1  | ==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x55c491c916d1 bp 0x60b00004e508 sp 0x7f58d8b27ff0 T21540)
orion_1  | ==1==The signal is caused by a READ memory access.
orion_1  | ==1==Hint: address points to the zero page.
orion_1  |     #0 0x55c491c916d0 in std::vector<orion::CompoundValueNode*, std::allocator<orion::CompoundValueNode*> >::push_back(orion::CompoundValueNode* const&) /usr/include/c++/7/bits/stl_vector.h:941
orion_1  |     #1 0x55c491c916d0 in parseContextAttributeCompoundValue[abi:cxx11](rapidjson::GenericMemberIterator<true, rapidjson::UTF8<char>, rapidjson::MemoryPoolAllocator<rapidjson::CrtAllocator> > const&, ContextAttribute*, orion::CompoundValueNode*) /opt/fiware-orion/src/lib/jsonParseV2/parseContextAttributeCompoundValue.cpp:270
orion_1  |     #2 0x55c491c81387 in parseContextAttributeObject /opt/fiware-orion/src/lib/jsonParseV2/parseContextAttribute.cpp:130
orion_1  |     #3 0x55c491c85c76 in parseContextAttribute[abi:cxx11](ConnectionInfo*, rapidjson::GenericMemberIterator<true, rapidjson::UTF8<char>, rapidjson::MemoryPoolAllocator<rapidjson::CrtAllocator> > const&, ContextAttribute*) /opt/fiware-orion/src/lib/jsonParseV2/parseContextAttribute.cpp:265
orion_1  |     #4 0x55c491c6d7d3 in parseEntity[abi:cxx11](ConnectionInfo*, Entity*, bool) /opt/fiware-orion/src/lib/jsonParseV2/parseEntity.cpp:227
orion_1  |     #5 0x55c491c61eba in jsonRequestTreat(ConnectionInfo*, ParseData*, RequestType, JsonDelayedRelease*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /opt/fiware-orion/src/lib/jsonParseV2/jsonRequestTreat.cpp:74
orion_1  |     #6 0x55c491b700f4 in payloadParse(ConnectionInfo*, ParseData*, RestService*, JsonRequest**, JsonDelayedRelease*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /opt/fiware-orion/src/lib/rest/RestService.cpp:199
orion_1  |     #7 0x55c491b79268 in restService /opt/fiware-orion/src/lib/rest/RestService.cpp:630
orion_1  |     #8 0x55c491b7ea9f in orion::requestServe[abi:cxx11](ConnectionInfo*) /opt/fiware-orion/src/lib/rest/RestService.cpp:787
orion_1  |     #9 0x55c491b5dd88 in connectionTreat /opt/fiware-orion/src/lib/rest/rest.cpp:1580
orion_1  |     #10 0x55c49219b3e7 in call_connection_handler /opt/libmicrohttpd-0.9.48/src/microhttpd/connection.c:1585
orion_1  |     #11 0x55c49219c929 in MHD_connection_handle_idle /opt/libmicrohttpd-0.9.48/src/microhttpd/connection.c:2624
orion_1  |     #12 0x55c49219f2bd in MHD_handle_connection /opt/libmicrohttpd-0.9.48/src/microhttpd/daemon.c:998
orion_1  |     #13 0x7f58e78206da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
orion_1  |     #14 0x7f58e5e2288e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
orion_1  |
orion_1  | AddressSanitizer can not provide additional info.
orion_1  | SUMMARY: AddressSanitizer: SEGV /usr/include/c++/7/bits/stl_vector.h:941 in std::vector<orion::CompoundValueNode*, std::allocator<orion::CompoundValueNode*> >::push_back(orion::CompoundValueNode* const&)
orion_1  | Thread T21540 created by T14 here:
orion_1  |     #0 0x7f58e8783d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
orion_1  |     #1 0x55c49219f87f in create_thread /opt/libmicrohttpd-0.9.48/src/microhttpd/daemon.c:1230
orion_1  |
orion_1  | Thread T14 created by T0 here:
orion_1  |     #0 0x7f58e8783d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
orion_1  |     #1 0x55c49219f87f in create_thread /opt/libmicrohttpd-0.9.48/src/microhttpd/daemon.c:1230
orion_1  |
orion_1  | ==1==ABORTING

Recorded responsible test case 1:

{"id": "urn:ngsi-ld:Store:123", "type": "Store", "address": {"type": "PostalAddress", "value": {"streetAddress": "Bornholmer Straße 65", "addressRegion": "Berlin", "addressLocality": "Prenzlauer Berg", "postalCode": "10439"}, "value": {"streetAddress": "Bornholmer Straße 65", "addressRegion": "Berlin", "addressLocality": "Prenzlauer Berg", "postalCode": "10439"}, "metadata": {"verified": {"value": "true", "type": ": Boolean"}}}, "location": {"type": "geo:json", "value": {"type": "Point", "coordinates": [13.3986, 52.5547]}}, "name": {"type": "Text", "value": ": Bösebrücke Einkauf"}}

Recorded responsible test case 2:

{"id": "urn:ngsi-ld:Store:123", "type": "Store", "address": {"type": "PostalAddress", "value": {"streetAddress": "Bornholmer Straße 65", "addressRegion": "Berlin", "addressLocality": "Prenzlauer Berg", "postalCode": "9223372036854775807"}, "value": {"streetAddress": "Bornholmer Straße 65", "addressRegion": "Berlin", "addressLocality": "Prenzlauer Berg", "postalCode": "10439"}, "metadata": {"verified": {"value": "true", "type": ": Boolean"}}}, "location": {"type": "geo:json", "value": {"type": "Point", "coordinates": [13.3986, 0.0]}}, "name": {"type": "Text", "value": ": Bösebrücke Einkauf"}}

[fgalan]

Fix implemented in PR #3615

Thus, I'm closing the issue. However, it would be great if @0xricksanchez could test again (with master branch code) and provide feedback, please. Of course, if the problem persists we will reopen the issue.