Uploaded image for project: 'Qpid Proton'
  1. Qpid Proton
  2. PROTON-2775

pn_buffer_ensure crash due to overflow

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • proton-c-0.40.0
    • None
    • proton-c
    • None

    Description

      pn_buffer_ensure(pn_buffer_t *buf, size_t size) will expand the capacity of buf to hold at least size.

      The implementation of pn_buffer_t maintains a capacity field that represents the size of of the allocated memory buffer. This capacity is implemented as a uint32_t type.

      The issue is that pn_buffer_ensure does not check for buffer wrap within the uint32_t range, which allows pn_buffer_ensure to wrap the reallocation.  This can result in memory overflow and a crash.

      Note well that I don't think having a 2^32-1 maximum limit for a pn_buffer_t is wrong.  I totally agree that even that size is probably overkill.

      However I think the problem is that an application can trigger the wrap since there is no visibility to current capacity value with the current proton API.  E.g. aggressively call pn_link_send() when the output network connection is blocked by a stalled receiver.

      At a minimum proton should detect an overflow event and not blindly double the capacity if the requested size is within the 32 bit range.

      I would also propose that pn_buffer_ensure() invoke abort() if it is passed a size > UINT32_MAX.  This would at minimum prevent a potential buffer overflow attack and at best alert the application developer that their code is buggy.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            kgiusti Ken Giusti

            Dates

              Created:
              Updated:

              Slack

                Issue deployment