This is an automated email from the ASF dual-hosted git repository.
astitcher pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git
The following commit(s) were added to refs/heads/main by this push:
new 935f8ad PROTON-2520: Add some more error checking to frame decode
935f8ad is described below
commit 935f8add523445ec7d6fbd2cbc04970026ce2b51
Author: Andrew Stitcher <[email protected]>
AuthorDate: Fri Mar 4 12:47:03 2022 -0500
PROTON-2520: Add some more error checking to frame decode
Another issue found by the clusterfuzz fuzzing project.
---
c/src/core/consumers.h | 13 +++++++++++++
c/src/core/dispatcher.c | 4 +++-
.../fuzz-connection-driver/crash/leak-5289430926098432 | Bin 0 -> 121 bytes
3 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/c/src/core/consumers.h b/c/src/core/consumers.h
index c475fed..94d2a6e 100644
--- a/c/src/core/consumers.h
+++ b/c/src/core/consumers.h
@@ -223,6 +223,19 @@ static inline bool pni_consumer_skip_value(pni_consumer_t*
consumer, uint8_t typ
return pni_consumer_skip_value_not_described(consumer, type);
}
+static inline bool pni_islist(pni_consumer_t* consumer) {
+ uint8_t t;
+ if (!pni_consumer_readf8(consumer, &t)) return false;
+ switch (t) {
+ case PNE_LIST0:
+ case PNE_LIST8:
+ case PNE_LIST32:
+ return true;
+ default:
+ return false;
+ }
+}
+
///////////////////////////////////////////////////////////////////////////////
static inline bool consume_single_value_not_described(pni_consumer_t*
consumer, uint8_t* type) {
diff --git a/c/src/core/dispatcher.c b/c/src/core/dispatcher.c
index 3998cb9..c7ed79a 100644
--- a/c/src/core/dispatcher.c
+++ b/c/src/core/dispatcher.c
@@ -87,7 +87,9 @@ static int pni_dispatch_frame(pn_frame_t frame, pn_logger_t
*logger, pn_transpor
uint64_t lcode;
pni_consumer_t consumer = make_consumer_from_bytes(frame_payload);
pni_consumer_t subconsumer;
- if (!consume_described_ulong_descriptor(&consumer, &subconsumer, &lcode)) {
+ if (!consume_described_ulong_descriptor(&consumer, &subconsumer, &lcode)
+ || !pni_islist(&subconsumer)
+ ) {
PN_LOG(logger, PN_SUBSYSTEM_AMQP, PN_LEVEL_ERROR, "Error dispatching
frame");
return PN_ERR;
}
diff --git a/c/tests/fuzz/fuzz-connection-driver/crash/leak-5289430926098432
b/c/tests/fuzz/fuzz-connection-driver/crash/leak-5289430926098432
new file mode 100644
index 0000000..87aef15
Binary files /dev/null and
b/c/tests/fuzz/fuzz-connection-driver/crash/leak-5289430926098432 differ
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
