fix(bridge): fix buffer overflow bug

chenhuanguang · chenhuanguang · commit d5f88cb390d0 · 2023-07-05T20:37:18.000+08:00
Change-Id: I048600b66afcdd90237bd7f7ba4cf0b05f8f53e3
diff --git a/modules/bridge/common/bridge_header.cc b/modules/bridge/common/bridge_header.cc
@@ -53,14 +53,19 @@ bool BridgeHeader::Diserialize(const char *buf, size_t buf_size) {
       i -= static_cast<int>(sizeof(HType) + sizeof(bsize) + size + 3);
       continue;
     }
-    size_t value_size = 0;
+
     for (int j = 0; j < Header_Tail; j++) {
       if (type == header_item[j]->GetType()) {
-        cursor = header_item[j]->DiserializeItem(cursor, &value_size);
+        size_t value_size = 0;
+        cursor = header_item[j]->DiserializeItem(cursor, static_cast<size_t>(i),
+                                                 &value_size);
+        i -= static_cast<int>(value_size);
+        if (cursor == nullptr) {
+          return false;
+        }
         break;
       }
     }
-    i -= static_cast<int>(value_size);
   }
   return true;
 }
diff --git a/modules/bridge/common/bridge_header_item.h b/modules/bridge/common/bridge_header_item.h
@@ -44,7 +44,7 @@ class HeaderItemBase {
 
  public:
   virtual char *SerializeItem(char *buf, size_t buf_size) = 0;
-  virtual const char *DiserializeItem(const char *buf,
+  virtual const char *DiserializeItem(const char *buf, const size_t buf_size,
                                       size_t *diserialized_size) = 0;
   virtual HType GetType() const = 0;
 };
@@ -56,18 +56,23 @@ template <enum HType t, typename T>
 char *SerializeItemImp(const HeaderItem<t, T> &item, char *buf,
                        size_t buf_size) {
   if (!buf || buf_size == 0 ||
-      buf_size < size_t(sizeof(t) + item.ValueSize() + 3)) {
+      buf_size < size_t(sizeof(t) + sizeof(bsize) + item.ValueSize() + 3)) {
     return nullptr;
   }
   char *res = buf;
-  size_t item_size = item.ValueSize();
+
+  // item.ValueSize() get the size of T type data,
+  // the maximum of which is proto_name
+  // when transfer data, bsize can save sizeof(proto_name).
+  // The type needs to be kept consistent during serialize and diserialize.
+  bsize item_size = static_cast<bsize>(item.ValueSize());
 
   HType type = t;
   memcpy(res, &type, sizeof(HType));
   res[sizeof(HType)] = ':';
   res = res + sizeof(HType) + 1;
 
-  memcpy(res, &item_size, sizeof(size_t));
+  memcpy(res, &item_size, sizeof(bsize));
   res[sizeof(bsize)] = ':';
   res = res + sizeof(bsize) + 1;
 
@@ -79,8 +84,10 @@ char *SerializeItemImp(const HeaderItem<t, T> &item, char *buf,
 
 template <enum HType t, typename T>
 const char *DiserializeItemImp(HeaderItem<t, T> *item, const char *buf,
+                               const size_t buf_size,
                                size_t *diserialized_size) {
-  if (!buf || !diserialized_size) {
+  if (!buf || !diserialized_size ||
+      buf_size < size_t(sizeof(HType) + sizeof(bsize) + 2)) {
     return nullptr;
   }
   const char *res = buf;
@@ -100,6 +107,9 @@ const char *DiserializeItemImp(HeaderItem<t, T> *item, const char *buf,
   res += sizeof(bsize) + 1;
   *diserialized_size += sizeof(bsize) + 1;
 
+  if (buf_size < size_t(sizeof(HType) + sizeof(bsize) + size + 3)) {
+    return nullptr;
+  }
   item->SetValue(res);
   res += size + 1;
   *diserialized_size += size + 1;
@@ -129,9 +139,9 @@ struct HeaderItem : public HeaderItemBase {
     return SerializeItemImp(*this, buf, buf_size);
   }
 
-  const char *DiserializeItem(const char *buf,
+  const char *DiserializeItem(const char *buf, size_t buf_size,
                               size_t *diserialized_size) override {
-    return DiserializeItemImp(this, buf, diserialized_size);
+    return DiserializeItemImp(this, buf, buf_size, diserialized_size);
   }
 };
 
@@ -157,9 +167,9 @@ struct HeaderItem<t, std::string> : public HeaderItemBase {
     return SerializeItemImp(*this, buf, buf_size);
   }
 
-  const char *DiserializeItem(const char *buf,
+  const char *DiserializeItem(const char *buf, size_t buf_size,
                               size_t *diserialized_size) override {
-    return DiserializeItemImp(this, buf, diserialized_size);
+    return DiserializeItemImp(this, buf, buf_size, diserialized_size);
   }
 };
 

Original file line number	Diff line number	Diff line change
`@@ -53,14 +53,19 @@ bool BridgeHeader::Diserialize(const char *buf, size_t buf_size) {`
`53`	`53`	`i -= static_cast<int>(sizeof(HType) + sizeof(bsize) + size + 3);`
`54`	`54`	`continue;`
`55`	`55`	`}`
`56`		`- size_t value_size = 0;`
	`56`	`+`
`57`	`57`	`for (int j = 0; j < Header_Tail; j++) {`
`58`	`58`	`if (type == header_item[j]->GetType()) {`
`59`		`- cursor = header_item[j]->DiserializeItem(cursor, &value_size);`
	`59`	`+ size_t value_size = 0;`
	`60`	`+ cursor = header_item[j]->DiserializeItem(cursor, static_cast<size_t>(i),`
	`61`	`+ &value_size);`
	`62`	`+ i -= static_cast<int>(value_size);`
	`63`	`+ if (cursor == nullptr) {`
	`64`	`+ return false;`
	`65`	`+ }`
`60`	`66`	`break;`
`61`	`67`	`}`
`62`	`68`	`}`
`63`		`- i -= static_cast<int>(value_size);`
`64`	`69`	`}`
`65`	`70`	`return true;`
`66`	`71`	`}`