You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by as...@apache.org on 2018/07/30 16:35:01 UTC

[7/8] qpid-proton git commit: PROTON-1903: Bug found by OSS Fuzz project - Fix sasl code to disallow some illegal frame sequences

PROTON-1903: Bug found by OSS Fuzz project
- Fix sasl code to disallow some illegal frame sequences

OSS-Fuzz bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8304


Project: http://git-wip-us.apache.org/repos/asf/qpid-proton/repo
Commit: http://git-wip-us.apache.org/repos/asf/qpid-proton/commit/9fbd8abe
Tree: http://git-wip-us.apache.org/repos/asf/qpid-proton/tree/9fbd8abe
Diff: http://git-wip-us.apache.org/repos/asf/qpid-proton/diff/9fbd8abe

Branch: refs/heads/master
Commit: 9fbd8abe863180b0a071e24a95e443761c0df343
Parents: 1cce7ca
Author: Andrew Stitcher <as...@apache.org>
Authored: Sun Jul 29 00:02:56 2018 -0400
Committer: Andrew Stitcher <as...@apache.org>
Committed: Mon Jul 30 11:41:59 2018 -0400

----------------------------------------------------------------------
 c/src/sasl/sasl.c                               |  43 ++++++++++++++++++-
 .../crash/6028258679193600                      | Bin 0 -> 28 bytes
 2 files changed, 42 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/9fbd8abe/c/src/sasl/sasl.c
----------------------------------------------------------------------
diff --git a/c/src/sasl/sasl.c b/c/src/sasl/sasl.c
index 8366116..3b257ab 100644
--- a/c/src/sasl/sasl.c
+++ b/c/src/sasl/sasl.c
@@ -847,6 +847,14 @@ pn_sasl_outcome_t pn_sasl_outcome(pn_sasl_t *sasl0)
 int pn_do_init(pn_transport_t *transport, uint8_t frame_type, uint16_t channel, pn_data_t *args, const pn_bytes_t *payload)
 {
   pni_sasl_t *sasl = transport->sasl;
+
+  // If we haven't got an sasl struct yet we've in an error state
+  // This can only happen if our peer sent SASL frames even though he didn't send the SASL header
+  if (!sasl) return PN_ERR;
+
+  // We should only receive this if we are a sasl server
+  if (sasl->client) return PN_ERR;
+
   pn_bytes_t mech;
   pn_bytes_t recv;
   int err = pn_data_scan(args, "D.[sz]", &mech, &recv);
@@ -872,6 +880,13 @@ int pn_do_mechanisms(pn_transport_t *transport, uint8_t frame_type, uint16_t cha
 {
   pni_sasl_t *sasl = transport->sasl;
 
+  // If we haven't got an sasl struct yet we've in an error state
+  // This can only happen if our peer sent SASL frames even though we didn't send the SASL header
+  if (!sasl) return PN_ERR;
+
+  // We should only receive this if we are a sasl client
+  if (!sasl->client) return PN_ERR;
+
   // This scanning relies on pn_data_scan leaving the pn_data_t cursors
   // where they are after finishing the scan
   pn_string_t *mechs = pn_string("");
@@ -919,6 +934,15 @@ int pn_do_mechanisms(pn_transport_t *transport, uint8_t frame_type, uint16_t cha
 // Received client side
 int pn_do_challenge(pn_transport_t *transport, uint8_t frame_type, uint16_t channel, pn_data_t *args, const pn_bytes_t *payload)
 {
+  pni_sasl_t *sasl = transport->sasl;
+
+  // If we haven't got an sasl struct yet we've in an error state
+  // This can only happen if our peer sent SASL frames even though we didn't send the SASL header
+  if (!sasl) return PN_ERR;
+
+  // We should only receive this if we are a sasl client
+  if (!sasl->client) return PN_ERR;
+
   pn_bytes_t recv;
   int err = pn_data_scan(args, "D.[z]", &recv);
   if (err) return err;
@@ -931,6 +955,15 @@ int pn_do_challenge(pn_transport_t *transport, uint8_t frame_type, uint16_t chan
 // Received server side
 int pn_do_response(pn_transport_t *transport, uint8_t frame_type, uint16_t channel, pn_data_t *args, const pn_bytes_t *payload)
 {
+  pni_sasl_t *sasl = transport->sasl;
+
+  // If we haven't got an sasl struct yet we've in an error state
+  // This can only happen if our peer sent SASL frames even though he didn't send the SASL header
+  if (!sasl) return PN_ERR;
+
+  // We should only receive this if we are a sasl server
+  if (sasl->client) return PN_ERR;
+
   pn_bytes_t recv;
   int err = pn_data_scan(args, "D.[z]", &recv);
   if (err) return err;
@@ -943,11 +976,19 @@ int pn_do_response(pn_transport_t *transport, uint8_t frame_type, uint16_t chann
 // Received client side
 int pn_do_outcome(pn_transport_t *transport, uint8_t frame_type, uint16_t channel, pn_data_t *args, const pn_bytes_t *payload)
 {
+  pni_sasl_t *sasl = transport->sasl;
+
+  // If we haven't got an sasl struct yet we've in an error state
+  // This can only happen if our peer sent SASL frames even though we didn't send the SASL header
+  if (!sasl) return PN_ERR;
+
+  // We should only receive this if we are a sasl client
+  if (!sasl->client) return PN_ERR;
+
   uint8_t outcome;
   int err = pn_data_scan(args, "D.[B]", &outcome);
   if (err) return err;
 
-  pni_sasl_t *sasl = transport->sasl;
   sasl->outcome = (pn_sasl_outcome_t) outcome;
   bool authenticated = sasl->outcome==PN_SASL_OK;
   transport->authenticated = authenticated;

http://git-wip-us.apache.org/repos/asf/qpid-proton/blob/9fbd8abe/c/tests/fuzz/fuzz-connection-driver/crash/6028258679193600
----------------------------------------------------------------------
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/6028258679193600 b/c/tests/fuzz/fuzz-connection-driver/crash/6028258679193600
new file mode 100644
index 0000000..1d58614
Binary files /dev/null and b/c/tests/fuzz/fuzz-connection-driver/crash/6028258679193600 differ


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org