Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-252

_cbson crash/vulnerability (denial of service)

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.0
    • Affects Version/s: None
    • Component/s: None

      _cbson's get_value doesn't accept a data size parameter, it means that it is very easy to trick _cbson into decoding and thus reading out of range data that can easily crash Python. For example:

      python -c 'import bson; bson.decode_all("\x07\x00\x00\x00\x02a\x00\x78\x56\x34\x12")'

      If _cbson is compiled/enabled then Python will crash with Segmentation Fault. If _cbson is not enabled I lose speed but get expected:

      Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "bson/_init_.py", line 404, in decode_all
      (doc, data) = _bson_to_dict(data, as_class, tz_aware)
      File "bson/_init_.py", line 245, in _bson_to_dict
      return (_elements_to_dict(elements, as_class, tz_aware), data[obj_size:])
      File "bson/_init_.py", line 233, in _elements_to_dict
      (key, value, data) = _element_to_dict(data, as_class, tz_aware)
      File "bson/_init_.py", line 225, in _element_to_dict
      (element_name, data) = _get_c_string(data[1:])
      File "bson/_init_.py", line 75, in _get_c_string
      raise InvalidBSON()
      bson.errors.InvalidBSON

            Assignee:
            bernie@mongodb.com Bernie Hackett
            Reporter:
            snaury Alexey Borzenkov
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: