Skip to content

router: fix null-terminator issue in path replacement.#5867

Merged
htuch merged 1 commit intoenvoyproxy:masterfrom
htuch:fix-router-assert-fuzz
Feb 7, 2019
Merged

router: fix null-terminator issue in path replacement.#5867
htuch merged 1 commit intoenvoyproxy:masterfrom
htuch:fix-router-assert-fuzz

Conversation

@htuch
Copy link
Member

@htuch htuch commented Feb 6, 2019

Fixes oss-fuzz issue
https://oss-fuzz.com/testcase-detail/5137346677178368.

Risk level: Low
Testing: Corpus entry added.

Signed-off-by: Harvey Tuch htuch@google.com

@htuch
router: fix null-terminator issue in path replacement.
1bcfe8d 
Fixes oss-fuzz issue
https://oss-fuzz.com/testcase-detail/5137346677178368.

Risk level: Low
Testing: Corpus entry added.

Signed-off-by: Harvey Tuch <htuch@google.com>
@htuch htuch requested a review from mattklein123 February 6, 2019 23:03
@htuch
Copy link
Member Author

htuch commented Feb 6, 2019

@mattklein123 not sure if this situation can happen in reality. I.e. we have a Path that is "\0001\000". Will the HTTP parsers reject or should we scrub?

@mattklein123
Copy link
Member

mattklein123 commented Feb 7, 2019

@mattklein123 not sure if this situation can happen in reality. I.e. we have a Path that is "\0001\000". Will the HTTP parsers reject or should we scrub?

I looked at the spec and the parser implementations and no, this is not a valid header value that would pass parsing. I have 2 questions:

  1. How does this actually crash? It's not clear to me from the diff.
  2. Is there any way to make the fuzzer only generate values that the parser will accept (VCHAR in the HTTP/1.1 BNF)

@htuch
Copy link
Member Author

htuch commented Feb 7, 2019

  1. It crashes in

    envoy/source/common/router/config_impl.cc

    Line 500 in 88fe0c9

    ASSERT(case_sensitive_ ? absl::StartsWith(path, matched_path)
    .
  2. Probably. I'd argue that the fix in this PR is actually harmless and also resolves the issue, so we can put this restriction in next time we get something that shouldn't happen by the spec. It can only be a good thing not to rely on scanning a C string for nullptr :)

@mattklein123
Copy link
Member

mattklein123 commented Feb 7, 2019

For 1 I'm probably being dense, but isn't the string null terminated?

@htuch
Copy link
Member Author

htuch commented Feb 7, 2019

The matched_path, from caller, uses data+size to form the string, whereas path is using the C nullptr search for length. Since we have an embedded null, the ASSERT fires.

@mattklein123
Copy link
Member

mattklein123 commented Feb 7, 2019

Ah I see. OK thanks. Sure, we can make the fuzzer smarter in a follow up if we need to.

@htuch htuch merged commit c54274a into envoyproxy:master Feb 7, 2019
@htuch htuch deleted the fix-router-assert-fuzz branch February 7, 2019 19:26
htuch added a commit to htuch/envoy that referenced this pull request Mar 5, 2019
@htuch
header_map/fuzz: improve robustness to embedded NULL in headers.
0685253 
As discovered back in envoyproxy#5867, we have some situations where
we expect the codecs to reject embedded NULLs in header key/values. This PR improves
codec_impl_fuzz_test by having it ignore such invalid values and also adds a bunch of ASSERTs to
HeaderMapImpl to document/guard against any potential NULL creep, since its correctness is
predicated on this.

Fixes oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13447.

Risk level: Low
Testing: Corpus entry added.

Signed-off-by: Harvey Tuch <htuch@google.com>
@htuch htuch mentioned this pull request Mar 5, 2019
Merged
htuch added a commit that referenced this pull request Mar 5, 2019
@htuch
header_map/fuzz: improve robustness to embedded NULL in headers. (#6170)
b2fe722 
As discovered back in #5867, we have some situations where
we expect the codecs to reject embedded NULLs in header key/values. This PR improves
codec_impl_fuzz_test by having it ignore such invalid values and also adds a bunch of ASSERTs to
HeaderMapImpl to document/guard against any potential NULL creep, since its correctness is
predicated on this.

Fixes oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13447.

Risk level: Low
Testing: Corpus entry added.

Signed-off-by: Harvey Tuch <htuch@google.com>
fredlas pushed a commit to fredlas/envoy that referenced this pull request Mar 5, 2019
@htuch @fredlas
router: fix null-terminator issue in path replacement. (envoyproxy#5867)
24e5f75 
Fixes oss-fuzz issue
https://oss-fuzz.com/testcase-detail/5137346677178368.

Risk level: Low
Testing: Corpus entry added.

Signed-off-by: Harvey Tuch <htuch@google.com>
Signed-off-by: Fred Douglas <fredlas@google.com>
fredlas pushed a commit to fredlas/envoy that referenced this pull request Mar 5, 2019
@htuch @fredlas
header_map/fuzz: improve robustness to embedded NULL in headers. (env…
a95b1f3 
…oyproxy#6170)

As discovered back in envoyproxy#5867, we have some situations where
we expect the codecs to reject embedded NULLs in header key/values. This PR improves
codec_impl_fuzz_test by having it ignore such invalid values and also adds a bunch of ASSERTs to
HeaderMapImpl to document/guard against any potential NULL creep, since its correctness is
predicated on this.

Fixes oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=13447.

Risk level: Low
Testing: Corpus entry added.

Signed-off-by: Harvey Tuch <htuch@google.com>
Signed-off-by: Fred Douglas <fredlas@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattklein123 mattklein123 mattklein123 approved these changes

Assignees

@mattklein123 mattklein123

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@htuch @mattklein123