Merge pull request #272 from TheBlueMatt/2019-05-net-cleanups

Fix DoS in RawNetworkMessage Deserialization
2019-06-07 11:53:31 +00:00 · 2019-06-07 11:53:31 +00:00 · 5d7e6bb7a4
parent a6c1eacd70 0904935f19
commit 5d7e6bb7a4
4 changed files with 63 additions and 1 deletions
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@ -55,3 +55,7 @@ path = "fuzz_targets/outpoint_string.rs"
 [[bin]]
 name = "deserialize_psbt"
 path = "fuzz_targets/deserialize_psbt.rs"
+
+[[bin]]
+name = "deser_net_msg"
+path = "fuzz_targets/deser_net_msg.rs"
--- a/fuzz/fuzz_targets/deser_net_msg.rs
+++ b/fuzz/fuzz_targets/deser_net_msg.rs
@ -0,0 +1,52 @@
+extern crate bitcoin;
+
+fn do_test(data: &[u8]) {
+    let _: Result<bitcoin::network::message::RawNetworkMessage, _> = bitcoin::consensus::encode::deserialize(data);
+}
+
+#[cfg(feature = "afl")]
+#[macro_use] extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+    fuzz!(|data| {
+        do_test(&data);
+    });
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+    loop {
+        fuzz!(|data| {
+            do_test(data);
+        });
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
+        let mut b = 0;
+        for (idx, c) in hex.as_bytes().iter().enumerate() {
+            b <<= 4;
+            match *c {
+                b'A'...b'F' => b |= c - b'A' + 10,
+                b'a'...b'f' => b |= c - b'a' + 10,
+                b'0'...b'9' => b |= c - b'0',
+                _ => panic!("Bad hex"),
+            }
+            if (idx & 1) == 1 {
+                out.push(b);
+                b = 0;
+            }
+        }
+    }
+
+    #[test]
+    fn duplicate_crash() {
+        let mut a = Vec::new();
+        extend_vec_from_hex("00", &mut a);
+        super::do_test(&a);
+    }
+}
--- a/fuzz/travis-fuzz.sh
+++ b/fuzz/travis-fuzz.sh
@ -7,7 +7,7 @@ for TARGET in fuzz_targets/*; do
 	if [ -d hfuzz_input/$FILE ]; then
 	    HFUZZ_INPUT_ARGS="-f hfuzz_input/$FILE/input"
 	fi
-	HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" HFUZZ_RUN_ARGS="-N200000 --exit_upon_crash -v $HFUZZ_INPUT_ARGS" cargo hfuzz run $FILE
+	HFUZZ_BUILD_ARGS="--features honggfuzz_fuzz" HFUZZ_RUN_ARGS="--run_time 30 --exit_upon_crash -v $HFUZZ_INPUT_ARGS" cargo hfuzz run $FILE

 	if [ -f hfuzz_workspace/$FILE/HONGGFUZZ.REPORT.TXT ]; then
 		cat hfuzz_workspace/$FILE/HONGGFUZZ.REPORT.TXT
--- a/src/consensus/encode.rs
+++ b/src/consensus/encode.rs
@ -659,6 +659,12 @@ impl<D: Decoder> Decodable<D> for CheckedData {
    #[inline]
    fn consensus_decode(d: &mut D) -> Result<CheckedData, self::Error> {
        let len: u32 = Decodable::consensus_decode(d)?;
+        if len > MAX_VEC_SIZE as u32 {
+            return Err(self::Error::OversizedVectorAllocation {
+                requested: len as usize,
+                max: MAX_VEC_SIZE
+            });
+        }
        let checksum: [u8; 4] = Decodable::consensus_decode(d)?;
        let mut ret = Vec::with_capacity(len as usize);
        ret.resize(len as usize, 0);