Skip to content

Commit

Permalink
Fix out of bounds access to slice in MongoDB parser (elastic#6256)
Browse files Browse the repository at this point in the history
* Fix out of bounds access to slice in MongoDB parser

Ignore MongoDB message and drop the TCP stream if a malformed
query / response is received, instead of logging a panic.

Closes elastic#5188

* Update CHANGELOG
  • Loading branch information
adriansr authored and andrewkroh committed Apr 6, 2018
1 parent 91233f9 commit 7007be9
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 0 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,7 @@ https://github.com/elastic/beats/compare/v6.0.1...v6.1.0[View commits]
- Fix mysql SQL parser to trim `\r` from Windows Server `SELECT\r\n\t1`. {pull}5572[5572]
- Fix corruption when parsing repeated headers in an HTTP request or response. {pull}6325[6325]
- Fix panic when parsing partial AMQP messages. {pull}6384[6384]
- Fix out of bounds access to slice in MongoDB parser. {pull}6256[6256]
*Winlogbeat*
Expand Down
3 changes: 3 additions & 0 deletions packetbeat/protos/mongodb/mongodb_parser.go
Original file line number Diff line number Diff line change
Expand Up @@ -341,6 +341,9 @@ func (d *decoder) readDocument() (bson.M, error) {
start := d.i
documentLength, err := d.readInt32()
d.i = start + documentLength
if len(d.in) < d.i {
return nil, errors.New("document out of bounds")
}

documentMap := bson.M{}

Expand Down
26 changes: 26 additions & 0 deletions packetbeat/protos/mongodb/mongodb_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -333,3 +333,29 @@ func TestMaxDocSize(t *testing.T) {

assert.Equal(t, "\"1234 ...\n\"123\"\n\"12\"", res["response"])
}

// Test for a (recovered) panic parsing document length in request/response messages
func TestDocumentLengthBoundsChecked(t *testing.T) {
logp.TestingSetup(logp.WithSelectors("mongodb", "mongodbdetailed"))

_, mongodb := mongodbModForTests()

// request and response from tests/pcaps/mongo_one_row.pcap
reqData, err := hex.DecodeString(
// Request message with out of bounds document
"320000000a000000ffffffffd4070000" +
"00000000746573742e72667374617572" +
"616e7473000000000001000000" +
// Document length (including itself)
"06000000" +
// Document (1 byte instead of 2)
"00")
assert.Nil(t, err)

tcptuple := testTCPTuple()
req := protos.Packet{Payload: reqData}
private := protos.ProtocolData(new(mongodbConnectionData))

private = mongodb.Parse(&req, tcptuple, 0, private)
assert.NotNil(t, private, "mongodb parser recovered from a panic")
}

0 comments on commit 7007be9

Please sign in to comment.