qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jiri Daněk (JIRA) <j...@apache.org>
Subject [jira] [Commented] (PROTON-1979) Decoding a bad message can overflow the stack
Date Sat, 15 Dec 2018 15:41:00 GMT

    [ https://issues.apache.org/jira/browse/PROTON-1979?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16722199#comment-16722199
] 

Jiri Daněk commented on PROTON-1979:
------------------------------------

There is still one last crash open, for inputs like these. It's an array in an array in an
array, ... this time without any described types.

https://oss-fuzz.com/testcase-detail/5920119225057280

{noformat}
==1==ERROR: MemorySanitizer: stack-overflow on address 0x7ffe94b70fe0 (pc 0x00000051d2c5 bp
0x7ffe94b71080 sp 0x7ffe94b70fe0 T1)
    #0 0x51d2c4 in pni_data_current /src/qpid-proton/c/src/core/codec.c:1224:35
    #1 0x51d2c4 in pni_data_add /src/qpid-proton/c/src/core/codec.c:1457
    #2 0x502736 in pn_data_put_array /src/qpid-proton/c/src/core/codec.c:1548:22
    #3 0x526929 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:403:15
    #4 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #5 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #6 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #7 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #8 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #9 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #10 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #11 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #12 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #13 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #14 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
    #15 0x5272d8 in pni_decoder_decode_value /src/qpid-proton/c/src/core/decoder.c:414:15
[...]
{noformat}

> Decoding a bad message can overflow the stack
> ---------------------------------------------
>
>                 Key: PROTON-1979
>                 URL: https://issues.apache.org/jira/browse/PROTON-1979
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-c
>            Reporter: Andrew Stitcher
>            Assignee: Andrew Stitcher
>            Priority: Major
>              Labels: fuzzer
>             Fix For: proton-c-0.27.0
>
>
> Found by oss-fuzz: [https://oss-fuzz.com/testcase?key=5920119225057280]
> A message with a described type whose descriptor is an array containing described types
of an array containing described types of... can cause enough stack use to overflow the process
stack.
> The message is quite long (and essentially meaningless) but none the less syntactically
valid.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message