cbor: Add allocation size limits.

Basic checks on field length headers before allocation are a reasonable precaution against denial of service and out of memory attacks. (Also, without these checks, we'd readily pass allocation numbers so large to `make` that it would panic instantly, and that's quite silly.) This fixes the crashers and panics reported in #23 (comment) . Further hardening should probably count the rough total of alloc'd space over time so we can aim for finite memory usage even on outright antagonistic input. However, that's a bit trickier, and will also beg questions about how the cbor half of the library could possibly make sensible guesses about how much memory e.g. the obj unmarshaller might translate these tokens into. This'll come in later commits. Signed-off-by: Eric Myhre <[email protected]>
polydawn · Mar 14, 2018 · 665d606 · 665d606
1 parent 8717756
commit 665d606
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/cbor/cborDecoderTerminals.go b/cbor/cborDecoderTerminals.go
@@ -124,6 +124,9 @@ func (d *Decoder) decodeBytesOrStringIndefinite(bs []byte, majorWanted byte) (bs
 		}
 		oldLen := len(bs)
 		newLen := oldLen + n
+		if n > 33554432 {
+			return nil, fmt.Errorf("cbor: decoding rejected oversized indefinite string/bytes field: %d is too large", n)
+		}
 		if newLen > cap(bs) {
 			bs2 := make([]byte, newLen, 2*cap(bs)+n)
 			copy(bs2, bs)
@@ -168,6 +171,9 @@ func (d *Decoder) decodeBytes(majorByte byte) (bs []byte, err error) {
 	if err != nil {
 		return nil, err
 	}
+	if n > 33554432 {
+		return nil, fmt.Errorf("cbor: decoding rejected oversized byte field: %d is too large", n)
+	}
 	return d.r.Readn(n)
 }
 
@@ -177,6 +183,9 @@ func (d *Decoder) decodeString(majorByte byte) (s string, err error) {
 	if err != nil {
 		return "", err
 	}
+	if n > 33554432 {
+		return "", fmt.Errorf("cbor: decoding rejected oversized string field: %d is too large", n)
+	}
 	bs, err := d.r.Readnzc(n)
 	return string(bs), err
 }