Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3340

Appending a bson_value_t containing an empty binary payload may abort

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.16.0
    • Affects Version/s: None
    • Component/s: libbson
    • None

      As noted in CDRIVER-2569, bson_append_binary asserts the binary payload is not NULL (but it is okay to use a non-NULL address with a zero length, which could be obtained from malloc(0), though bson_malloc(0) does return a NULL).

      However, bson_value_copy on an empty binary payload will produce a value with a NULL payload, which means if we can retrieve an empty binary value, copy it, and then try appending that copy, we get an abort:

      bson_t bson = BSON_INITIALIZER;
      bson_value_t value, value_copy;
      /* iter points to an empty BSON binary value */
      value = bson_iter_value (&iter);
      bson_value_copy (&value, &value_copy);
      /* The following asserts since value_copy.value.v_binary.data is NULL */
      BSON_APPEND_VALUE (&value_copy, "key", &value_copy);
      

      Consider:

      • loosening the restriction and allowing NULL to be passed to bson_append_binary. bson_append_utf8 allows NULL (but appends it as a NULL type instead of as an empty UTF8 string)
      • changing bson_malloc to call the underlying allocator even for a zero length (which seems potentially dangerous, since users can override the allocator, and this would change how we're calling that allocator.

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: