CDRIVER-5735 Improve validation of uncompressedSize for OP_COMPRESSED (#1747)

eramongodb · eramongodb · commit a65cfc45cc48 · 2024-10-03T12:32:47.000-05:00
diff --git a/src/libmongoc/src/mongoc/mongoc-cluster.c b/src/libmongoc/src/mongoc/mongoc-cluster.c
@@ -3597,7 +3597,19 @@ mcd_rpc_message_decompress (mcd_rpc_message *rpc, void **data, size_t *data_len)
    // msgHeader consists of four int32 fields.
    const size_t message_header_length = 4u * sizeof (int32_t);
 
-   const size_t uncompressed_size = (size_t) mcd_rpc_op_compressed_get_uncompressed_size (rpc);
+   const int32_t uncompressed_size_raw = mcd_rpc_op_compressed_get_uncompressed_size (rpc);
+
+   // Malformed message: invalid uncompressedSize.
+   if (BSON_UNLIKELY (uncompressed_size_raw < 0)) {
+      return false;
+   }
+
+   const size_t uncompressed_size = (size_t) uncompressed_size_raw;
+
+   // Malformed message: original message length is not representable.
+   if (BSON_UNLIKELY (uncompressed_size > SIZE_MAX - message_header_length)) {
+      return false;
+   }
 
    // uncompressedSize does not include msgHeader fields.
    const size_t original_message_length = message_header_length + uncompressed_size;
@@ -3643,7 +3655,11 @@ mcd_rpc_message_decompress (mcd_rpc_message *rpc, void **data, size_t *data_len)
       return false;
    }
 
-   BSON_ASSERT (uncompressed_size == actual_uncompressed_size);
+   // Malformed message: size inconsistency.
+   if (BSON_UNLIKELY (uncompressed_size != actual_uncompressed_size)) {
+      bson_free (ptr);
+      return false;
+   }
 
    *data_len = original_message_length;
    *data = ptr; // Ownership transfer.
diff --git a/src/libmongoc/src/mongoc/mongoc-compression.c b/src/libmongoc/src/mongoc/mongoc-compression.c
@@ -137,20 +137,27 @@ mongoc_compressor_name_to_id (const char *compressor)
    return -1;
 }
 
+// To support unchecked casts from `unsigned long` to `size_t`.
+BSON_STATIC_ASSERT2 (size_t_gte_ulong, SIZE_MAX >= ULONG_MAX);
+
 bool
 mongoc_uncompress (int32_t compressor_id,
                    const uint8_t *compressed,
                    size_t compressed_len,
                    uint8_t *uncompressed,
                    size_t *uncompressed_len)
 {
+   BSON_ASSERT_PARAM (compressed);
+   BSON_ASSERT_PARAM (uncompressed);
+   BSON_ASSERT_PARAM (uncompressed_len);
+
    TRACE ("Uncompressing with '%s' (%d)", mongoc_compressor_id_to_name (compressor_id), compressor_id);
 
    switch (compressor_id) {
    case MONGOC_COMPRESSOR_SNAPPY_ID: {
 #ifdef MONGOC_ENABLE_COMPRESSION_SNAPPY
-      snappy_status status;
-      status = snappy_uncompress ((const char *) compressed, compressed_len, (char *) uncompressed, uncompressed_len);
+      const snappy_status status =
+         snappy_uncompress ((const char *) compressed, compressed_len, (char *) uncompressed, uncompressed_len);
 
       return status == SNAPPY_OK;
 #else
@@ -162,11 +169,28 @@ mongoc_uncompress (int32_t compressor_id,
 
    case MONGOC_COMPRESSOR_ZLIB_ID: {
 #ifdef MONGOC_ENABLE_COMPRESSION_ZLIB
-      BSON_ASSERT (bson_in_range_unsigned (unsigned_long, compressed_len));
-      const int ok =
-         uncompress (uncompressed, (unsigned long *) uncompressed_len, compressed, (unsigned long) compressed_len);
+      // Malformed message: unrepresentable.
+      if (BSON_UNLIKELY (!bson_in_range_unsigned (unsigned_long, compressed_len))) {
+         return false;
+      }
+
+      // Malformed message: unrepresentable.
+      if (BSON_UNLIKELY (!bson_in_range_unsigned (unsigned_long, *uncompressed_len))) {
+         return false;
+      }
+
+      uLong actual_uncompressed_len = (uLong) *uncompressed_len;
+
+      const int res =
+         uncompress (uncompressed, &actual_uncompressed_len, (const Bytef *) compressed, (uLong) compressed_len);
+
+      if (BSON_UNLIKELY (res != Z_OK)) {
+         return false;
+      }
 
-      return ok == Z_OK;
+      *uncompressed_len = (size_t) actual_uncompressed_len;
+
+      return true;
 #else
       MONGOC_WARNING ("Received zlib compressed opcode, but zlib "
                       "compression is not compiled in");
@@ -176,22 +200,26 @@ mongoc_uncompress (int32_t compressor_id,
 
    case MONGOC_COMPRESSOR_ZSTD_ID: {
 #ifdef MONGOC_ENABLE_COMPRESSION_ZSTD
-      int ok;
+      const size_t res = ZSTD_decompress (uncompressed, *uncompressed_len, compressed, compressed_len);
 
-      ok = ZSTD_decompress ((void *) uncompressed, *uncompressed_len, (const void *) compressed, compressed_len);
-
-      if (!ZSTD_isError (ok)) {
-         *uncompressed_len = ok;
+      if (BSON_UNLIKELY (ZSTD_isError (res))) {
+         return false;
       }
 
-      return !ZSTD_isError (ok);
+      *uncompressed_len = res;
+
+      return true;
 #else
       MONGOC_WARNING ("Received zstd compressed opcode, but zstd "
                       "compression is not compiled in");
       return false;
 #endif
    }
    case MONGOC_COMPRESSOR_NOOP_ID:
+      // Malformed message: not enough space.
+      if (BSON_UNLIKELY (*uncompressed_len < compressed_len)) {
+         return false;
+      }
       memcpy (uncompressed, compressed, compressed_len);
       *uncompressed_len = compressed_len;
       return true;
