From fa170daedbfc1847c7c17f5e6ac33037456c6226 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Thu, 25 Aug 2022 22:32:14 +0200 Subject: [PATCH] inspector: prevent integer overflow in open() PR-URL: https://github.com/nodejs/node/pull/44367 Reviewed-By: Ruben Bridgewater Reviewed-By: Richard Lau Reviewed-By: Rich Trott Reviewed-By: Kohei Ueno --- lib/inspector.js | 9 +++++++++ src/inspector_js_api.cc | 1 + ...test-inspector-open-port-integer-overflow.js | 17 +++++++++++++++++ 3 files changed, 27 insertions(+) create mode 100644 test/parallel/test-inspector-open-port-integer-overflow.js diff --git a/lib/inspector.js b/lib/inspector.js index 46779a0ec21dac..dafc4ef4932ff1 100644 --- a/lib/inspector.js +++ b/lib/inspector.js @@ -26,6 +26,8 @@ const EventEmitter = require('events'); const { queueMicrotask } = require('internal/process/task_queues'); const { validateCallback, + isUint32, + validateInt32, validateObject, validateString, } = require('internal/validators'); @@ -167,6 +169,13 @@ function inspectorOpen(port, host, wait) { if (isEnabled()) { throw new ERR_INSPECTOR_ALREADY_ACTIVATED(); } + // inspectorOpen() currently does not typecheck its arguments and adding + // such checks would be a potentially breaking change. However, the native + // open() function requires the port to fit into a 16-bit unsigned integer, + // causing an integer overflow otherwise, so we at least need to prevent that. + if (isUint32(port)) { + validateInt32(port, 'port', 0, 65535); + } open(port, host); if (wait) waitForDebugger(); diff --git a/src/inspector_js_api.cc b/src/inspector_js_api.cc index 4ebb8acd689d58..cae302d2a658ed 100644 --- a/src/inspector_js_api.cc +++ b/src/inspector_js_api.cc @@ -281,6 +281,7 @@ void Open(const FunctionCallbackInfo& args) { if (args.Length() > 0 && args[0]->IsUint32()) { uint32_t port = args[0].As()->Value(); + CHECK_LE(port, std::numeric_limits::max()); ExclusiveAccess::Scoped host_port(agent->host_port()); host_port->set_port(static_cast(port)); } diff --git a/test/parallel/test-inspector-open-port-integer-overflow.js b/test/parallel/test-inspector-open-port-integer-overflow.js new file mode 100644 index 00000000000000..0f9a4799d0642a --- /dev/null +++ b/test/parallel/test-inspector-open-port-integer-overflow.js @@ -0,0 +1,17 @@ +'use strict'; + +// Regression test for an integer overflow in inspector.open() when the port +// exceeds the range of an unsigned 16-bit integer. + +const common = require('../common'); +common.skipIfInspectorDisabled(); +common.skipIfWorker(); + +const assert = require('assert'); +const inspector = require('inspector'); + +assert.throws(() => inspector.open(99999), { + name: 'RangeError', + code: 'ERR_OUT_OF_RANGE', + message: 'The value of "port" is out of range. It must be >= 0 && <= 65535. Received 99999' +});