Fix for CVE-2018-16790 -- Verify bounds before binary length read.

Scott Gayou · ajdavis · commit 0d9a4d98bfdf · 2018-09-17T13:31:23.000-04:00
As reported here: https://jira.mongodb.org/browse/CDRIVER-2819, a heap overread occurs due a failure to correctly verify data bounds. In the original check, len - o returns the data left including the sizeof(l) we just read. Instead, the comparison should check against the data left NOT including the binary int32, i.e. just subtype (byte*) instead of int32 subtype (byte*). Added in test for corrupted BSON example.
diff --git a/src/libbson/src/bson/bson-iter.c b/src/libbson/src/bson/bson-iter.c
@@ -618,7 +618,7 @@ _bson_iter_next_internal (bson_iter_t *iter,    /* INOUT */
       memcpy (&l, iter->raw + iter->d1, sizeof (l));
       l = BSON_UINT32_FROM_LE (l);
 
-      if (l >= (len - o)) {
+      if (l >= (len - o - 4)) {
          iter->err_off = o;
          goto mark_invalid;
       }
diff --git a/src/libbson/tests/binary/test59.bson b/src/libbson/tests/binary/test59.bson
diff --git a/src/libbson/tests/test-bson.c b/src/libbson/tests/test-bson.c
@@ -1249,6 +1249,11 @@ test_bson_validate (void)
                   12,
                   BSON_VALIDATE_NONE,
                   "corrupt BSON");
+   VALIDATE_TEST ("test59.bson",
+                  BSON_VALIDATE_NONE,
+                  9,
+                  BSON_VALIDATE_NONE,
+                  "corrupt BSON");
 
    /* DBRef validation */
    b = BCON_NEW ("my_dbref",

Original file line number	Diff line number	Diff line change
`@@ -618,7 +618,7 @@ _bson_iter_next_internal (bson_iter_t iter, / INOUT */`
`618`	`618`	`memcpy (&l, iter->raw + iter->d1, sizeof (l));`
`619`	`619`	`l = BSON_UINT32_FROM_LE (l);`
`620`	`620`
`621`		`- if (l >= (len - o)) {`
	`621`	`+ if (l >= (len - o - 4)) {`
`622`	`622`	`iter->err_off = o;`
`623`	`623`	`goto mark_invalid;`
`624`	`624`	`}`