&max-size will overread and only raise error afterwards #1815

0xxon · 2024-07-31T14:22:11Z

The &max-size attribute will happily allow inner units to over-read the data from the input stream till they are done, including raising hooks (or zeek events) - only raising an error after all parsing is finished.

Example:

module Test;

public type Top = unit {
  innerdata: Inner &max-size=2;
};

type Inner = unit {
   data: bytes &size=20;
   on %done { print self; }
};

$ printf '\x0b\x00\x00\x01\x00\x0e\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' | spicy-driver test2.spicy
[$data=b"\x0b\x00\x00\x01\x00\x0e\xec\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"]
[error] terminating with uncaught exception of type spicy::rt::ParseError: parsing not done within &max-size bytes (test2.spicy:4:20-4:30)

This obviously is a problem, especially in cases when one parses a protocol that specifies unit-lengths itself.

To give a real-world example: This bug was found while examining a test-failure fo the TLS testsuite. In that case, an inner field specifies a much-too-large-length, exceeding the size of the outer fields by several kilobytes. As this overread seems to exceed the amount of data remaining in this connection, no error is ever raised.

The text was updated successfully, but these errors were encountered:

bbannier · 2024-07-31T14:43:33Z

What happens here is that we set up two dependent limited views into the input stream:

a View view1 with size=3 to parse innerdata from (one larger than the &max-size value to accommodate a sentinel byte for detecting overruns)
a View view2 from view1 with size=20 to parse data from

This fails since when calling limit on an already limited view but with a larger size, the original limit is overriden. This is an issue in the implementation of hilti::rt::stream::View::limit, and can reproduced with this unit test:

SUBCASE("limited view inherits limit") {
    auto input = "1234567890"_b;
    auto stream = Stream(input);
    auto view = stream.view();

    auto limit1 = view.limit(5U);
    REQUIRE_EQ(limit1.size(), 5U);

    auto limit2 = limit1.limit(input.size());
    REQUIRE_EQ(limit2.size(), 5U);
}

The fix would probably be to only ever decrease the size of a View with limit. The only downside of that would be that parsing would then fail since data cannot read enough data, and we do not explicitly trigger an error pointing out&max-size anymore. With that approach we also seem to fail a number of tests, so we might have assumptions about limit being able to override elsewhere.

The documented semantics of `View::limit` are that it creates a new view with equal or smaller size. In contrast to that we would still have allowed to expand views with more calls `limit` again as well. This patch changes the implementation of `View::limit` so it can only ever make a `View` smaller. Closes #1815.

The documented semantics of `View::limit` are that it creates a new view with equal or smaller size. In contrast to that we would still have allowed to expand views with more calls `limit` again as well. This patch changes the implementation of `View::limit` so it can only ever make a `View` smaller. We also tweak the implementation of the check for consumed `&size` when used together with `&eod`: if the `&size` was already nested in a limited view a larger `&size` value could previously extend the view so the `&eod` effectively was ignored. Since we now do not extend the `View` anymore we need to only activate the check for consumed `&size` if `&eod` was not specified since in this case the user communicated that they are fine with consuming less data. Closes #1815.

The documented semantics of `View::limit` are that it creates a new view with equal or smaller size. In contrast to that we would still have allowed to expand views with more calls `limit` again as well. This patch changes the implementation of `View::limit` so it can only ever make a `View` smaller. We also tweak the implementation of the check for consumed `&size` when used together with `&eod`: if the `&size` was already nested in a limited view a larger `&size` value could previously extend the view so the `&eod` effectively was ignored. Since we now do not extend the `View` anymore we need to only activate the check for consumed `&size` if `&eod` was not specified since in this case the user communicated that they are fine with consuming less data. Closes #1815. (cherry picked from commit 44d87b2)

bbannier added the Bug Something isn't working label Jul 31, 2024

bbannier added Good first issue Good for newcomers Runtime Library Issues related to the HILTI or Spicy runtime libraries and removed Good first issue Good for newcomers labels Jul 31, 2024

bbannier self-assigned this Aug 1, 2024

bbannier mentioned this issue Aug 1, 2024

Disallow expanding limited Views again with limit #1816

Merged

bbannier closed this as completed in 44d87b2 Aug 2, 2024

bbannier mentioned this issue Sep 2, 2024

CI run for v1.11.1 #1848

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

&max-size will overread and only raise error afterwards #1815

&max-size will overread and only raise error afterwards #1815

0xxon commented Jul 31, 2024

bbannier commented Jul 31, 2024 •

edited

Loading

&max-size will overread and only raise error afterwards #1815

&max-size will overread and only raise error afterwards #1815

Comments

0xxon commented Jul 31, 2024

bbannier commented Jul 31, 2024 • edited Loading

bbannier commented Jul 31, 2024 •

edited

Loading