CDRIVER-4816 Error parsing large IPv6 literal (#1526)

* add regression test

* account for extra 2 bytes in IPv6 literal

* check error logged and returned in test

* check return of `bson_snprintf`

* use format macros

* include `inttypes.h`

---------

Co-authored-by: Ezra Chung <[email protected]>

Author: kevinAlbs

src/libmongoc/src/mongoc/mongoc-host-list.c

@@ -1,7 +1,7 @@
 /*
  * Copyright 2015 MongoDB Inc.
- *
  * Licensed under the Apache License, Version 2.0 (the "License");
+ *
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
@@ -14,6 +14,8 @@
  * limitations under the License.
  */
 
+#include <inttypes.h> // PRIu16
+
 #include "mongoc-host-list-private.h"
 /* strcasecmp on windows */
 #include "mongoc-util-private.h"
@@ -343,13 +345,27 @@ _mongoc_host_list_from_hostport_with_err (mongoc_host_list_t *link_,
    if (strchr (host, ':')) {
       link_->family = AF_INET6;
 
-      mongoc_lowercase (link_->host, link_->host);
-      bson_snprintf (link_->host_and_port,
-                     sizeof link_->host_and_port,
-                     "[%s]:%hu",
-                     link_->host,
-                     link_->port);
+      // Check that IPv6 literal is two less than the max to account for `[` and
+      // `]` added below.
+      if (host_len > BSON_HOST_NAME_MAX - 2) {
+         bson_set_error (
+            error,
+            MONGOC_ERROR_STREAM,
+            MONGOC_ERROR_STREAM_NAME_RESOLUTION,
+            "IPv6 literal provided in URI is too long, max is %d chars",
+            BSON_HOST_NAME_MAX - 2);
+         return false;
+      }
 
+      mongoc_lowercase (link_->host, link_->host);
+      int req = bson_snprintf (link_->host_and_port,
+                               sizeof link_->host_and_port,
+                               "[%s]:%" PRIu16,
+                               link_->host,
+                               link_->port);
+      BSON_ASSERT (bson_in_range_size_t_signed (req));
+      // Use `<`, not `<=` to account for NULL byte.
+      BSON_ASSERT ((size_t) req < sizeof link_->host_and_port);
    } else if (strchr (host, '/') && strstr (host, ".sock")) {
       link_->family = AF_UNIX;
       bson_strncpy (link_->host_and_port, link_->host, host_len + 1);
@@ -358,11 +374,14 @@ _mongoc_host_list_from_hostport_with_err (mongoc_host_list_t *link_,
       link_->family = AF_UNSPEC;
 
       mongoc_lowercase (link_->host, link_->host);
-      bson_snprintf (link_->host_and_port,
-                     sizeof link_->host_and_port,
-                     "%s:%hu",
-                     link_->host,
-                     link_->port);
+      int req = bson_snprintf (link_->host_and_port,
+                               sizeof link_->host_and_port,
+                               "%s:%" PRIu16,
+                               link_->host,
+                               link_->port);
+      BSON_ASSERT (bson_in_range_size_t_signed (req));
+      // Use `<`, not `<=` to account for NULL byte.
+      BSON_ASSERT ((size_t) req < sizeof link_->host_and_port);
    }
 
    link_->next = NULL;

src/libmongoc/tests/test-mongoc-uri.c

@@ -2740,6 +2740,70 @@ test_casing_options (void)
    mongoc_uri_destroy (uri);
 }
 
+static void
+test_parses_long_ipv6 (void)
+{
+   // Test parsing long malformed IPv6 literals. This is a regression test for
+   // CDRIVER-4816.
+   bson_error_t error;
+
+   // Test the largest permitted IPv6 literal.
+   {
+      // Construct a string of repeating `:`.
+      bson_string_t *host = bson_string_new (NULL);
+      for (int i = 0; i < BSON_HOST_NAME_MAX - 2; i++) {
+         // Max IPv6 literal is two less due to including `[` and `]`.
+         bson_string_append (host, ":");
+      }
+
+      char *host_and_port = bson_strdup_printf ("[%s]:27017", host->str);
+      char *uri_string = bson_strdup_printf ("mongodb://%s", host_and_port);
+      mongoc_uri_t *uri = mongoc_uri_new_with_error (uri_string, &error);
+      ASSERT_OR_PRINT (uri, error);
+      const mongoc_host_list_t *hosts = mongoc_uri_get_hosts (uri);
+      ASSERT_CMPSTR (hosts->host, host->str);
+      ASSERT_CMPSTR (hosts->host_and_port, host_and_port);
+      ASSERT_CMPUINT16 (hosts->port, ==, 27017);
+      ASSERT (!hosts->next);
+
+      mongoc_uri_destroy (uri);
+      bson_free (uri_string);
+      bson_free (host_and_port);
+      bson_string_free (host, true /* free_segment */);
+   }
+
+   // Test one character more than the largest IPv6 literal.
+   {
+      // Construct a string of repeating `:`.
+      bson_string_t *host = bson_string_new (NULL);
+      for (int i = 0; i < BSON_HOST_NAME_MAX - 2 + 1; i++) {
+         bson_string_append (host, ":");
+      }
+
+      char *host_and_port = bson_strdup_printf ("[%s]:27017", host->str);
+      char *uri_string = bson_strdup_printf ("mongodb://%s", host_and_port);
+      capture_logs (true);
+      mongoc_uri_t *uri = mongoc_uri_new_with_error (uri_string, &error);
+      // Expect error parsing IPv6 literal is logged.
+      ASSERT_CAPTURED_LOG ("parsing IPv6",
+                           MONGOC_LOG_LEVEL_ERROR,
+                           "IPv6 literal provided in URI is too long");
+      capture_logs (false);
+
+      // Expect a generic parsing error is also returned.
+      ASSERT (!uri);
+      ASSERT_ERROR_CONTAINS (error,
+                             MONGOC_ERROR_COMMAND,
+                             MONGOC_ERROR_COMMAND_INVALID_ARG,
+                             "Invalid host string in URI");
+
+      mongoc_uri_destroy (uri);
+      bson_free (uri_string);
+      bson_free (host_and_port);
+      bson_string_free (host, true /* free_segment */);
+   }
+}
+
 void
 test_uri_install (TestSuite *suite)
 {
@@ -2774,4 +2838,5 @@ test_uri_install (TestSuite *suite)
                   "/Uri/one_tls_option_enables_tls",
                   test_one_tls_option_enables_tls);
    TestSuite_Add (suite, "/Uri/options_casing", test_casing_options);
+   TestSuite_Add (suite, "/Uri/parses_long_ipv6", test_parses_long_ipv6);
 }