Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2455

Off by one error calculated required size with bson_append_regex

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.9.1
    • Affects Version/s: 1.9.0
    • Component/s: None
    • None

      When analysing PHPC-1067 I found an off-by-one error in bson_append_regex.

      The calculation for the number of required bytes is off by one, since https://github.com/mongodb/libbson/commit/f9c179bb#diff-834e3eef392f29fc84e766ec869ff972L1533

      The annotated calculation is:

          r =  _bson_append (bson,
              5, // Number of data elements to add
              (1 + key_length + 1 + regex_len + options_sorted->len), // bytes to add
              1,          // length of first element (BSON type, int8)
              &type,      // the BSON type
              key_length, // the length of the field name
              key,        // the field name (not 0-termined)
              1,          // the length of the ending 0 byte
              &gZero,     // the null 0 byte
              regex_len,  // the length of the regular expression (including 0 byte)
              regex,      // the regular expression with 0 byte
              options_sorted->len + 1, // the length of the sorted options, with 0 byte
              options_sorted->str);    // the sorted options, with 0 byte
      

      If you compare (1 + key_length + 1 + regex_len + options_sorted->len) with the sum of all the length, you see it's missing 1 (the extra null of the options_sorted->len).

      This can cause a out-of-bound write.

            Assignee:
            derick Derick Rethans
            Reporter:
            derick Derick Rethans
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: