Skip to content

Commit

Permalink
Fix out of bounds access to slice in MongoDB parser (elastic#6256)
Browse files Browse the repository at this point in the history
* Fix out of bounds access to slice in MongoDB parser

Ignore MongoDB message and drop the TCP stream if a malformed
query / response is received, instead of logging a panic.

Closes elastic#5188

* Update CHANGELOG
  • Loading branch information
adriansr committed Apr 6, 2018
1 parent 6dddbd8 commit 728cdd1
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ https://github.com/elastic/beats/compare/v5.6.8...5.6[Check the HEAD diff]
- Fix mysql SQL parser to trim `\r` from Windows Server `SELECT\r\n\t1`. {pull}5572[5572]
- Fix corruption when parsing repeated headers in an HTTP request or response. {pull}6325[6325]
- Fix panic when parsing partial AMQP messages. {pull}6384[6384]
- Fix out of bounds access to slice in MongoDB parser. {pull}6256[6256]

*Winlogbeat*

Expand Down
3 changes: 3 additions & 0 deletions packetbeat/protos/mongodb/mongodb_parser.go
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,9 @@ func (d *decoder) readDocument() (bson.M, error) {
start := d.i
documentLength, err := d.readInt32()
d.i = start + documentLength
if len(d.in) < d.i {
return nil, errors.New("document out of bounds")
}

documentMap := bson.M{}

Expand Down
31 changes: 30 additions & 1 deletion packetbeat/protos/mongodb/mongodb_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,12 @@ import (
"net"
"testing"

"github.com/stretchr/testify/assert"

"github.com/elastic/beats/libbeat/common"
"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/packetbeat/protos"
"github.com/elastic/beats/packetbeat/publish"
"github.com/stretchr/testify/assert"
)

// Helper function returning a Mongodb module that can be used
Expand Down Expand Up @@ -333,3 +334,31 @@ func TestMaxDocSize(t *testing.T) {

assert.Equal(t, "\"1234 ...\n\"123\"\n\"12\"", res["response"])
}

// Test for a (recovered) panic parsing document length in request/response messages
func TestDocumentLengthBoundsChecked(t *testing.T) {
if testing.Verbose() {
logp.LogInit(logp.LOG_DEBUG, "", false, true, []string{"mongodb", "mongodbdetailed"})
}

mongodb := mongodbModForTests()

// request and response from tests/pcaps/mongo_one_row.pcap
reqData, err := hex.DecodeString(
// Request message with out of bounds document
"320000000a000000ffffffffd4070000" +
"00000000746573742e72667374617572" +
"616e7473000000000001000000" +
// Document length (including itself)
"06000000" +
// Document (1 byte instead of 2)
"00")
assert.Nil(t, err)

tcptuple := testTCPTuple()
req := protos.Packet{Payload: reqData}
private := protos.ProtocolData(new(mongodbConnectionData))

private = mongodb.Parse(&req, tcptuple, 0, private)
assert.NotNil(t, private, "mongodb parser recovered from a panic")
}

0 comments on commit 728cdd1

Please sign in to comment.