Merge pull request #272 from TheBlueMatt/2019-05-net-cleanups

Fix DoS in RawNetworkMessage Deserialization
This commit is contained in:
Andrew Poelstra 2019-06-07 11:53:31 +00:00 committed by GitHub
commit 5d7e6bb7a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 63 additions and 1 deletions

View File

@ -55,3 +55,7 @@ path = "fuzz_targets/outpoint_string.rs"
[[bin]] [[bin]]
name = "deserialize_psbt" name = "deserialize_psbt"
path = "fuzz_targets/deserialize_psbt.rs" path = "fuzz_targets/deserialize_psbt.rs"
[[bin]]
name = "deser_net_msg"
path = "fuzz_targets/deser_net_msg.rs"

View File

@ -0,0 +1,52 @@
extern crate bitcoin;
fn do_test(data: &[u8]) {
let _: Result<bitcoin::network::message::RawNetworkMessage, _> = bitcoin::consensus::encode::deserialize(data);
}
#[cfg(feature = "afl")]
#[macro_use] extern crate afl;
#[cfg(feature = "afl")]
fn main() {
fuzz!(|data| {
do_test(&data);
});
}
#[cfg(feature = "honggfuzz")]
#[macro_use] extern crate honggfuzz;
#[cfg(feature = "honggfuzz")]
fn main() {
loop {
fuzz!(|data| {
do_test(data);
});
}
}
#[cfg(test)]
mod tests {
fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
let mut b = 0;
for (idx, c) in hex.as_bytes().iter().enumerate() {
b <<= 4;
match *c {
b'A'...b'F' => b |= c - b'A' + 10,
b'a'...b'f' => b |= c - b'a' + 10,
b'0'...b'9' => b |= c - b'0',
_ => panic!("Bad hex"),
}
if (idx & 1) == 1 {
out.push(b);
b = 0;
}
}
}
#[test]
fn duplicate_crash() {
let mut a = Vec::new();
extend_vec_from_hex("00", &mut a);
super::do_test(&a);
}
}

View File

@ -7,7 +7,7 @@ for TARGET in fuzz_targets/*; do
if [ -d hfuzz_input/$FILE ]; then if [ -d hfuzz_input/$FILE ]; then
HFUZZ_INPUT_ARGS="-f hfuzz_input/$FILE/input" HFUZZ_INPUT_ARGS="-f hfuzz_input/$FILE/input"
fi fi
HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" HFUZZ_RUN_ARGS="-N200000 --exit_upon_crash -v $HFUZZ_INPUT_ARGS" cargo hfuzz run $FILE HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" HFUZZ_RUN_ARGS="--run_time 30 --exit_upon_crash -v $HFUZZ_INPUT_ARGS" cargo hfuzz run $FILE
if [ -f hfuzz_workspace/$FILE/HONGGFUZZ.REPORT.TXT ]; then if [ -f hfuzz_workspace/$FILE/HONGGFUZZ.REPORT.TXT ]; then
cat hfuzz_workspace/$FILE/HONGGFUZZ.REPORT.TXT cat hfuzz_workspace/$FILE/HONGGFUZZ.REPORT.TXT

View File

@ -659,6 +659,12 @@ impl<D: Decoder> Decodable<D> for CheckedData {
#[inline] #[inline]
fn consensus_decode(d: &mut D) -> Result<CheckedData, self::Error> { fn consensus_decode(d: &mut D) -> Result<CheckedData, self::Error> {
let len: u32 = Decodable::consensus_decode(d)?; let len: u32 = Decodable::consensus_decode(d)?;
if len > MAX_VEC_SIZE as u32 {
return Err(self::Error::OversizedVectorAllocation {
requested: len as usize,
max: MAX_VEC_SIZE
});
}
let checksum: [u8; 4] = Decodable::consensus_decode(d)?; let checksum: [u8; 4] = Decodable::consensus_decode(d)?;
let mut ret = Vec::with_capacity(len as usize); let mut ret = Vec::with_capacity(len as usize);
ret.resize(len as usize, 0); ret.resize(len as usize, 0);