Uploaded image for project: 'Qpid Proton'
  1. Qpid Proton
  2. PROTON-2775

pn_buffer_ensure crash due to overflow



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • proton-c-0.40.0
    • None
    • proton-c
    • None


      pn_buffer_ensure(pn_buffer_t *buf, size_t size) will expand the capacity of buf to hold at least size.

      The implementation of pn_buffer_t maintains a capacity field that represents the size of of the allocated memory buffer. This capacity is implemented as a uint32_t type.

      The issue is that pn_buffer_ensure does not check for buffer wrap within the uint32_t range, which allows pn_buffer_ensure to wrap the reallocation.  This can result in memory overflow and a crash.

      Note well that I don't think having a 2^32-1 maximum limit for a pn_buffer_t is wrong.  I totally agree that even that size is probably overkill.

      However I think the problem is that an application can trigger the wrap since there is no visibility to current capacity value with the current proton API.  E.g. aggressively call pn_link_send() when the output network connection is blocked by a stalled receiver.

      At a minimum proton should detect an overflow event and not blindly double the capacity if the requested size is within the 32 bit range.

      I would also propose that pn_buffer_ensure() invoke abort() if it is passed a size > UINT32_MAX.  This would at minimum prevent a potential buffer overflow attack and at best alert the application developer that their code is buggy.


        1. proton-2775.txt
          4 kB
          Ken Giusti
        2. proton-2775-2.txt
          3 kB
          Ken Giusti



            Unassigned Unassigned
            kgiusti Ken Giusti
            0 Vote for this issue
            1 Start watching this issue