Skip to content

[FIXED] Check of maxpayload could be bypassed if size overruns int32 #1053

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 1, 2019
Merged

[FIXED] Check of maxpayload could be bypassed if size overruns int32 #1053

merged 1 commit into from
Jul 1, 2019

Conversation

kozlovic
Copy link
Member

@kozlovic kozlovic commented Jul 1, 2019
edited
Loading

One could craft a PUB protocol to cause server to panic. This can
happen if the size in the PUB protocol overruns an int32.

(note that if authorization is enabled, the user would need to
authenticate first, limiting the impact).

Thank you to Aviv Sasson and Ariel Zelivansky from Twistlock
for the security report!

Signed-off-by: Ivan Kozlovic [email protected]

@kozlovic kozlovic requested a review from derekcollison July 1, 2019 20:45
derekcollison
derekcollison reviewed Jul 1, 2019
View reviewed changes
Copy link
Member

@derekcollison derekcollison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checking on int32 -> int64 cast removing negative bit.

Also should credit TL for report.

derekcollison
derekcollison requested changes Jul 1, 2019
View reviewed changes
Copy link
Member

@derekcollison derekcollison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kozlovic
[FIXED] Check of maxpayload could be bypassed if size overruns int32
156511b 
One could craft a PUB protocol to cause server to panic. This can
happen if the size in the PUB protocol overruns an int32.

(note that if authorization is enabled, the user would need to
authenticate first, limiting the impact).

Thank you to Aviv Sasson and Ariel Zelivansky from Twistlock
for the security report!

Signed-off-by: Ivan Kozlovic <[email protected]>
@kozlovic
Copy link
Member Author

kozlovic commented Jul 1, 2019

Added to commit log reference to people from Twistlock that reported the security issue.

@kozlovic kozlovic merged commit a171864 into master Jul 1, 2019
@kozlovic kozlovic deleted the mpay_overrun branch July 1, 2019 21:27
@kozlovic kozlovic mentioned this pull request Jun 1, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekcollison derekcollison derekcollison approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kozlovic @derekcollison