You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@qpid.apache.org by as...@apache.org on 2018/12/06 22:23:04 UTC

[2/2] qpid-proton git commit: PROTON-1979: [c] Forbid AMQP values that could lead to a nested descriptor type - Any described type descriptors that could lead to a nested described type in the descriptor type itself are forbidden as these can lead to i

PROTON-1979: [c] Forbid AMQP values that could lead to a nested descriptor type
- Any described type descriptors that could lead to a nested described type in the
  descriptor type itself are forbidden as these can lead to indefinite stack use.
- In any event only symbol and ulong are currently valid types for descriptors,
  all other types are reserved although syntactically valid (according to amqp 1.0).

Problem found by oss-fuzz: https://oss-fuzz.com/testcase?key=5920119225057280


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/5ba471d9
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/5ba471d9
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/5ba471d9

Branch: refs/heads/master
Commit: 5ba471d97f9e04c8e68f2270681038b3c1eac0ed
Parents: 6a5140b
Author: Andrew Stitcher <as...@apache.org>
Authored: Thu Dec 6 14:45:47 2018 -0500
Committer: Andrew Stitcher <as...@apache.org>
Committed: Thu Dec 6 17:22:19 2018 -0500

----------------------------------------------------------------------
 c/src/core/decoder.c                               |   7 ++++++-
 .../fuzz-message-decode/crash/5920119225057280     | Bin 0 -> 96383 bytes
 2 files changed, 6 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/5ba471d9/c/src/core/decoder.c
----------------------------------------------------------------------
diff --git a/c/src/core/decoder.c b/c/src/core/decoder.c
index fd7b69a..a2e99b2 100644
--- a/c/src/core/decoder.c
+++ b/c/src/core/decoder.c
@@ -485,6 +485,11 @@ static int pni_decoder_decode_type(pn_decoder_t *decoder, pn_data_t *data, uint8
 
 size_t pn_data_siblings(pn_data_t *data);
 
+static inline bool pni_allowed_descriptor_code(uint8_t code)
+{
+  return code != PNE_DESCRIPTOR && code != PNE_ARRAY8 && code != PNE_ARRAY32;
+}
+
 int pni_decoder_single_described(pn_decoder_t *decoder, pn_data_t *data)
 {
   if (!pn_decoder_remaining(decoder)) {
@@ -493,7 +498,7 @@ int pni_decoder_single_described(pn_decoder_t *decoder, pn_data_t *data)
 
   uint8_t code = *decoder->position++;;
 
-  if (code == PNE_DESCRIPTOR) {
+  if (!pni_allowed_descriptor_code(code)) {
     return PN_ARG_ERR;
   }
 

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/5ba471d9/c/tests/fuzz/fuzz-message-decode/crash/5920119225057280
----------------------------------------------------------------------
diff --git a/c/tests/fuzz/fuzz-message-decode/crash/5920119225057280 b/c/tests/fuzz/fuzz-message-decode/crash/5920119225057280
new file mode 100644
index 0000000..3a4657d
Binary files /dev/null and b/c/tests/fuzz/fuzz-message-decode/crash/5920119225057280 differ


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org