[FIXED] Check of maxpayload could be bypassed if size overruns int32

kozlovic · kozlovic · commit eccd3d0868ba · 2019-07-01T14:29:50.000-06:00
One could craft a PUB protocol to cause server to panic. This can
happen if the size in the PUB protocol overruns an int32.

(note that if authorization is enabled, the user would need to
authenticate first, limiting the impact).

Signed-off-by: Ivan Kozlovic &lt;ivan@synadia.com&gt;
diff --git a/server/client.go b/server/client.go
@@ -1567,11 +1567,13 @@ func (c *client) processPub(trace bool, arg []byte) error {
 	default:
 		return fmt.Errorf("processPub Parse Error: '%s'", arg)
 	}
+	// If number overruns an int64, parseSize() will have returned a negative value
 	if c.pa.size < 0 {
 		return fmt.Errorf("processPub Bad or Missing Size: '%s'", arg)
 	}
 	maxPayload := atomic.LoadInt32(&c.mpay)
-	if maxPayload != jwt.NoLimit && int32(c.pa.size) > maxPayload {
+	// Use int64() to avoid int32 overrun...
+	if maxPayload != jwt.NoLimit && int64(c.pa.size) > int64(maxPayload) {
 		c.maxPayloadViolation(c.pa.size, maxPayload)
 		return ErrMaxPayload
 	}
diff --git a/server/leafnode.go b/server/leafnode.go
@@ -1193,7 +1193,7 @@ func (c *client) processLeafMsgArgs(trace bool, arg []byte) error {
 		}
 	}
 	if c.pa.size < 0 {
-		return fmt.Errorf("processRoutedMsgArgs Bad or Missing Size: '%s'", args)
+		return fmt.Errorf("processLeafMsgArgs Bad or Missing Size: '%s'", args)
 	}
 
 	// Common ones processed after check for arg length
diff --git a/test/maxpayload_test.go b/test/maxpayload_test.go
@@ -97,3 +97,28 @@ func TestMaxPayload(t *testing.T) {
 		}
 	}
 }
+
+func TestMaxPayloadOverrun(t *testing.T) {
+	opts := DefaultTestOptions
+	opts.Port = -1
+	opts.MaxPayload = 10000
+	s := RunServer(&opts)
+	defer s.Shutdown()
+
+	// Overrun a int32
+	c := createClientConn(t, "127.0.0.1", opts.Port)
+	defer c.Close()
+
+	send, expect := setupConn(t, c)
+	send("PUB foo 380571791000988\r\n")
+	expect(errRe)
+
+	// Now overrun an int64, parseSize will have returned -1,
+	// so we get disconnected.
+	c = createClientConn(t, "127.0.0.1", opts.Port)
+	defer c.Close()
+
+	send, _ = setupConn(t, c)
+	send("PUB foo 18446744073709551615123\r\n")
+	expectDisconnect(t, c)
+}

Original file line number	Diff line number	Diff line change
`@@ -1567,11 +1567,13 @@ func (c *client) processPub(trace bool, arg []byte) error {`
`1567`	`1567`	`default:`
`1568`	`1568`	`return fmt.Errorf("processPub Parse Error: '%s'", arg)`
`1569`	`1569`	`}`
	`1570`	`+ // If number overruns an int64, parseSize() will have returned a negative value`
`1570`	`1571`	`if c.pa.size < 0 {`
`1571`	`1572`	`return fmt.Errorf("processPub Bad or Missing Size: '%s'", arg)`
`1572`	`1573`	`}`
`1573`	`1574`	`maxPayload := atomic.LoadInt32(&c.mpay)`
`1574`		`- if maxPayload != jwt.NoLimit && int32(c.pa.size) > maxPayload {`
	`1575`	`+ // Use int64() to avoid int32 overrun...`
	`1576`	`+ if maxPayload != jwt.NoLimit && int64(c.pa.size) > int64(maxPayload) {`
`1575`	`1577`	`c.maxPayloadViolation(c.pa.size, maxPayload)`
`1576`	`1578`	`return ErrMaxPayload`
`1577`	`1579`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1193,7 +1193,7 @@ func (c *client) processLeafMsgArgs(trace bool, arg []byte) error {`
`1193`	`1193`	`}`
`1194`	`1194`	`}`
`1195`	`1195`	`if c.pa.size < 0 {`
`1196`		`- return fmt.Errorf("processRoutedMsgArgs Bad or Missing Size: '%s'", args)`
	`1196`	`+ return fmt.Errorf("processLeafMsgArgs Bad or Missing Size: '%s'", args)`
`1197`	`1197`	`}`
`1198`	`1198`
`1199`	`1199`	`// Common ones processed after check for arg length`