GODRIVER-2869 Two protocol validations to reduce client denial of service risks #1291
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The length by definition needs to include the 4 bytes for the size. If a size of zero is provided this can result in an infinite loop as providing the zero to `src[l:]` will result in the slice not being consumed. Allowing the zero length to be read for infinity.
…tput In addition tot he MongoDB protocol Snappy also has an encoded size. If the Snappy payload is larger (or at least claims to be larger), the Snappy module will allocate a new byte slice to match the needed size. This could result in memory exhaustion.
Co-authored-by: Alan Parra <[email protected]>
qingyang-hu
changed the title
qingyang-hu
reviewed
Jun 12, 2023
qingyang-hu
reviewed
Jun 12, 2023
Co-authored-by: Qingyang Hu <[email protected]>
|
@qingyang-hu and @matthewdale, is there anything further I can do to help with this PR? |
qingyang-hu
approved these changes
Jun 21, 2023
matthewdale
approved these changes
Jun 22, 2023
jentfoo
added a commit
to gravitational/teleport
that referenced
this pull request
Jul 26, 2023
This updates the MongoDB driver to use a recent master commit in order to incorporate the fix: mongodb/mongo-go-driver#1291 (which has not been released to a tag yet) In addition a fuzz seed was added to cover this condition. After not finding more issues this also re-enables the MongoDB fuzzing in oss-fuzz.
github-merge-queue bot
pushed a commit
to gravitational/teleport
that referenced
this pull request
Jul 27, 2023
This updates the MongoDB driver to use a recent master commit in order to incorporate the fix: mongodb/mongo-go-driver#1291 (which has not been released to a tag yet) In addition a fuzz seed was added to cover this condition. After not finding more issues this also re-enables the MongoDB fuzzing in oss-fuzz.
qingyang-hu
added a commit
that referenced
this pull request
Aug 1, 2023
…vice risks (#1291) Co-authored-by: Alan Parra <[email protected]> Co-authored-by: Qingyang Hu <[email protected]>
prestonvasquez
pushed a commit
to prestonvasquez/mongo-go-driver
that referenced
this pull request
Aug 1, 2023
…vice risks (mongodb#1291) Co-authored-by: Alan Parra <[email protected]> Co-authored-by: Qingyang Hu <[email protected]>
prestonvasquez
pushed a commit
to prestonvasquez/mongo-go-driver
that referenced
this pull request
Aug 1, 2023
…vice risks (mongodb#1291) Co-authored-by: Alan Parra <[email protected]> Co-authored-by: Qingyang Hu <[email protected]>
prestonvasquez
pushed a commit
to prestonvasquez/mongo-go-driver
that referenced
this pull request
Aug 1, 2023
…vice risks (mongodb#1291) Co-authored-by: Alan Parra <[email protected]> Co-authored-by: Qingyang Hu <[email protected]>
prestonvasquez
pushed a commit
to prestonvasquez/mongo-go-driver
that referenced
this pull request
Aug 2, 2023
…vice risks (mongodb#1291) Co-authored-by: Alan Parra <[email protected]> Co-authored-by: Qingyang Hu <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
GODRIVER-2869
Summary
This PR is to fix two possible conditions which could result in a potential denial of service of a client connected to a malicious MongoDB server.
readLengthBytesrequires the 4 bytes for the length to be included. Previously when reading a document from the wire this could result in a tight loop where an empty struct is appended to a slice repeatedly until the service runs out of memory (both CPU and memory consumption).Let me know if you have additional questions or if there is anything more I can do to help. Thank you!