Fix crashes in FCGI_PARAMS parsing

2019-05-04 19:42:37 -07:00
parent bea5b76b7c
commit 2faf75e8e4
55 changed files with 24 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,4 @@ example_clock
 example_simple
 fastcgi_conn_afl
 *.o
+afl_state/findings
--- a/afl_state/findings/.cur_input
+++ b/afl_state/findings/.cur_input
@@ -1 +0,0 @@
-<EFBFBD>
--- a/afl_state/testcases/05d1f668cd963bf49f47844facd0b71dab94c2ad5429ea984adc6d956dd5ca9b
+++ b/afl_state/testcases/05d1f668cd963bf49f47844facd0b71dab94c2ad5429ea984adc6d956dd5ca9b
--- a/afl_state/testcases/0b0f255381504c76a1b728ea99efcc84b399830c182e254acd2fe7425ad7295c
+++ b/afl_state/testcases/0b0f255381504c76a1b728ea99efcc84b399830c182e254acd2fe7425ad7295c
--- a/afl_state/testcases/0f1ef62c369a1dca195251c6cdd48e2c2cb3edea6409fe8a5fc7995053dbad2f
+++ b/afl_state/testcases/0f1ef62c369a1dca195251c6cdd48e2c2cb3edea6409fe8a5fc7995053dbad2f
--- a/afl_state/testcases/183c87507cca2e58c6b4085919621c9ca9c69274e9fe783f83b1955c6a3834ed
+++ b/afl_state/testcases/183c87507cca2e58c6b4085919621c9ca9c69274e9fe783f83b1955c6a3834ed
--- a/afl_state/testcases/2e31aabc5c982b210e804dfe0b32978ec9a2be7be9ff34bae833add689341f02
+++ b/afl_state/testcases/2e31aabc5c982b210e804dfe0b32978ec9a2be7be9ff34bae833add689341f02
--- a/afl_state/testcases/2e4bc7036b455c6af4cd026e3feb1ba3453e38ef08361030ac38525e924c7f92
+++ b/afl_state/testcases/2e4bc7036b455c6af4cd026e3feb1ba3453e38ef08361030ac38525e924c7f92
--- a/afl_state/testcases/31ae4c7e435bb7d8de92a2eb0604d0dac5706298cbcf077c1721c7c1882fcf9c
+++ b/afl_state/testcases/31ae4c7e435bb7d8de92a2eb0604d0dac5706298cbcf077c1721c7c1882fcf9c
--- a/afl_state/testcases/329ee899f9c05b1b7c667adc2c7683b9d90a9f5afc9c3f5757c0d938ad8366f5
+++ b/afl_state/testcases/329ee899f9c05b1b7c667adc2c7683b9d90a9f5afc9c3f5757c0d938ad8366f5
--- a/afl_state/testcases/37c3830863a204dd98320e4108b99be5946bf825d6130addbbe78b5d9f0cd57e
+++ b/afl_state/testcases/37c3830863a204dd98320e4108b99be5946bf825d6130addbbe78b5d9f0cd57e
--- a/afl_state/testcases/37f29950791214cfd51e2135aa3ed130c8bc84de90d6a303914873eac5977f93
+++ b/afl_state/testcases/37f29950791214cfd51e2135aa3ed130c8bc84de90d6a303914873eac5977f93
--- a/afl_state/testcases/38d9b0fe0ad2cc29bee945b80e0ca4b1c9653ee3bd97b8d5154fa30422d0658d
+++ b/afl_state/testcases/38d9b0fe0ad2cc29bee945b80e0ca4b1c9653ee3bd97b8d5154fa30422d0658d
--- a/afl_state/testcases/5610128e4ee368a2cfc0327188e40f5b7347a7ec41017089f9d8770747367b2d
+++ b/afl_state/testcases/5610128e4ee368a2cfc0327188e40f5b7347a7ec41017089f9d8770747367b2d
--- a/afl_state/testcases/596c0979bb71b205ebcf361758d617f90faf8a40725bbfb4223049c86dd5d347
+++ b/afl_state/testcases/596c0979bb71b205ebcf361758d617f90faf8a40725bbfb4223049c86dd5d347
--- a/afl_state/testcases/5b99a2a9dab87070274cdc13e0511d78f55676f00398e1b1b629f2ca8da98a78
+++ b/afl_state/testcases/5b99a2a9dab87070274cdc13e0511d78f55676f00398e1b1b629f2ca8da98a78
--- a/afl_state/testcases/5d86ac01a848cb9448a52eb53c21516982a56b70222a4d96b130171228bcf37c
+++ b/afl_state/testcases/5d86ac01a848cb9448a52eb53c21516982a56b70222a4d96b130171228bcf37c
@@ -0,0 +1 @@
+9))))
--- a/afl_state/testcases/62bbe4acaa41e4583b7e4fe7a2a711bc1a7d40abc5bd08a30e1e689b2b5eddf1
+++ b/afl_state/testcases/62bbe4acaa41e4583b7e4fe7a2a711bc1a7d40abc5bd08a30e1e689b2b5eddf1
--- a/afl_state/testcases/64eb9b238392dd1ea64ef4842a003ed5adbd1f76736def3410371a69e74ef2ec
+++ b/afl_state/testcases/64eb9b238392dd1ea64ef4842a003ed5adbd1f76736def3410371a69e74ef2ec
--- a/afl_state/testcases/6c6fde56a069da5c7c1166aea9432ca3936c87c57b4a1690e1265bafdb77ffa0
+++ b/afl_state/testcases/6c6fde56a069da5c7c1166aea9432ca3936c87c57b4a1690e1265bafdb77ffa0
--- a/afl_state/testcases/7274b74610714c2f70898a6892c0e738bacf61785df911c84865f698d64804f3
+++ b/afl_state/testcases/7274b74610714c2f70898a6892c0e738bacf61785df911c84865f698d64804f3
--- a/afl_state/testcases/76c797962018c090a47262766c6ec8664d2144e73199872f08078b0f08824881
+++ b/afl_state/testcases/76c797962018c090a47262766c6ec8664d2144e73199872f08078b0f08824881
--- a/afl_state/testcases/7b0db3d789eeead3c8e8fc3033789838bd6f30ca7af2ed154105ab855e3e5c84
+++ b/afl_state/testcases/7b0db3d789eeead3c8e8fc3033789838bd6f30ca7af2ed154105ab855e3e5c84
--- a/afl_state/testcases/7e05276ed16dd1939201714ac302d0907d579754530536c1d465f2ec1655fff4
+++ b/afl_state/testcases/7e05276ed16dd1939201714ac302d0907d579754530536c1d465f2ec1655fff4
--- a/afl_state/testcases/82a2b4746b1355713ec9952cc511df58d0df522fbf5d37810d1223bfdb0cef77
+++ b/afl_state/testcases/82a2b4746b1355713ec9952cc511df58d0df522fbf5d37810d1223bfdb0cef77
--- a/afl_state/testcases/8934c53052b5fb1aaacc42b649c2893b7f7980cacf2e44e5f040e27527f0194c
+++ b/afl_state/testcases/8934c53052b5fb1aaacc42b649c2893b7f7980cacf2e44e5f040e27527f0194c
--- a/afl_state/testcases/8c391e83779d90d9cc43125039abf9c457e43d59ac005bdd3b6d1052e534da4d
+++ b/afl_state/testcases/8c391e83779d90d9cc43125039abf9c457e43d59ac005bdd3b6d1052e534da4d
--- a/afl_state/testcases/96ab87ec2e164061fb1155a62362f232282bc3240bf582536e635a17fe35042f
+++ b/afl_state/testcases/96ab87ec2e164061fb1155a62362f232282bc3240bf582536e635a17fe35042f
--- a/afl_state/testcases/988798fe1eb04f4992832eff2c1829d1ebc156c35b1b20eae6a0a6cc8683ae50
+++ b/afl_state/testcases/988798fe1eb04f4992832eff2c1829d1ebc156c35b1b20eae6a0a6cc8683ae50
--- a/afl_state/testcases/9dfa485e5c259aa7f78782c2e439c6f112a140debe7df35a94c0e12905f60352
+++ b/afl_state/testcases/9dfa485e5c259aa7f78782c2e439c6f112a140debe7df35a94c0e12905f60352
--- a/afl_state/testcases/9e19223af709bbe59fe61faac6a142e67878600b095d933ec51824bc421f9cea
+++ b/afl_state/testcases/9e19223af709bbe59fe61faac6a142e67878600b095d933ec51824bc421f9cea
--- a/afl_state/testcases/a5bf1ddf64dacb80ee8b9eb0e3dac25fdfae66c237994d344e098dcacf3eaf82
+++ b/afl_state/testcases/a5bf1ddf64dacb80ee8b9eb0e3dac25fdfae66c237994d344e098dcacf3eaf82
--- a/afl_state/testcases/a79410d504a36359bbcf9132b162f39c42c68baf6794628c2102a91246811399
+++ b/afl_state/testcases/a79410d504a36359bbcf9132b162f39c42c68baf6794628c2102a91246811399
--- a/afl_state/testcases/accf4d00eddcb8470f43ac7a3ca1a7c2fc9645a845eb1f5855357403f057dd0e
+++ b/afl_state/testcases/accf4d00eddcb8470f43ac7a3ca1a7c2fc9645a845eb1f5855357403f057dd0e
--- a/afl_state/testcases/b38c2393d62a261eee5d355bdbffdd8e8d0affa8c62a6b4482a1dad1cdb2ee8a
+++ b/afl_state/testcases/b38c2393d62a261eee5d355bdbffdd8e8d0affa8c62a6b4482a1dad1cdb2ee8a
--- a/afl_state/testcases/b48f818f87b59d4f2b8f77621bb57dd1a1117b67ecc14b69a4ad37407042e5e6
+++ b/afl_state/testcases/b48f818f87b59d4f2b8f77621bb57dd1a1117b67ecc14b69a4ad37407042e5e6
--- a/afl_state/testcases/b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
+++ b/afl_state/testcases/b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c
--- a/afl_state/testcases/b6c95edb3fbfa49a4600fc817a91c5a678add1f95e58d243a0af0ad0867f1b6c
+++ b/afl_state/testcases/b6c95edb3fbfa49a4600fc817a91c5a678add1f95e58d243a0af0ad0867f1b6c
--- a/afl_state/testcases/be6422db2a25cf3bf3978d4c4117b7be1d059dbcc757a9a8c147e635e9792ac7
+++ b/afl_state/testcases/be6422db2a25cf3bf3978d4c4117b7be1d059dbcc757a9a8c147e635e9792ac7
--- a/afl_state/testcases/c1762d24b5869ec9d1ed96fae49524a9c826d0969596af177ef04e815e7e0ece
+++ b/afl_state/testcases/c1762d24b5869ec9d1ed96fae49524a9c826d0969596af177ef04e815e7e0ece
--- a/afl_state/testcases/c19b5f6f629f095fe1a734012b41979626fcaedcf770b7569e8ee1e4b4103376
+++ b/afl_state/testcases/c19b5f6f629f095fe1a734012b41979626fcaedcf770b7569e8ee1e4b4103376
--- a/afl_state/testcases/c2a618b8d93fe78ba6a08a0be39b9c1081426c6e4ef6cf9a512581be9fe65228
+++ b/afl_state/testcases/c2a618b8d93fe78ba6a08a0be39b9c1081426c6e4ef6cf9a512581be9fe65228
--- a/afl_state/testcases/c79b1988214eee72802da4fb9ab285b3bfc465a70cb46021365a0c674633708d
+++ b/afl_state/testcases/c79b1988214eee72802da4fb9ab285b3bfc465a70cb46021365a0c674633708d
--- a/afl_state/testcases/cceab84c133ea0ea0f2ff91703638c71af9afd156429995e262a73275ed5c7da
+++ b/afl_state/testcases/cceab84c133ea0ea0f2ff91703638c71af9afd156429995e262a73275ed5c7da
--- a/afl_state/testcases/cf07336e51086b1689ee97e05e05427ce5a777b22909b457715f3c62786b99eb
+++ b/afl_state/testcases/cf07336e51086b1689ee97e05e05427ce5a777b22909b457715f3c62786b99eb
--- a/afl_state/testcases/d0b7f6589261a4134c00b4d38b2d5e435397ea9fece64ddcefe8c3706b09e01b
+++ b/afl_state/testcases/d0b7f6589261a4134c00b4d38b2d5e435397ea9fece64ddcefe8c3706b09e01b
--- a/afl_state/testcases/d1e717630c61289df829791391f6992a6ef0ba8ff73bfe2bbf8777884a85622e
+++ b/afl_state/testcases/d1e717630c61289df829791391f6992a6ef0ba8ff73bfe2bbf8777884a85622e
--- a/afl_state/testcases/d9a4df9abb132f1dabde212b862393c88cbd60d8f01186e65570b1aa392c1174
+++ b/afl_state/testcases/d9a4df9abb132f1dabde212b862393c88cbd60d8f01186e65570b1aa392c1174
--- a/afl_state/testcases/dc2ac18b3866d569c8dc30852a511899a22dbc167f6f65a75571ebc1e94be132
+++ b/afl_state/testcases/dc2ac18b3866d569c8dc30852a511899a22dbc167f6f65a75571ebc1e94be132
--- a/afl_state/testcases/df14b6bdb051e7242051d12debd26a8ac7faeec5281857ce5674912db288bae9
+++ b/afl_state/testcases/df14b6bdb051e7242051d12debd26a8ac7faeec5281857ce5674912db288bae9
--- a/afl_state/testcases/e2b69890a2ad75f448667f7d815aa3909aa87982decd25b2aa567e42731291fa
+++ b/afl_state/testcases/e2b69890a2ad75f448667f7d815aa3909aa87982decd25b2aa567e42731291fa
--- a/afl_state/testcases/e8ab63bb5116dd865bd13bcf55080db3caea50721a193cb9480b9a5f66f69287
+++ b/afl_state/testcases/e8ab63bb5116dd865bd13bcf55080db3caea50721a193cb9480b9a5f66f69287
--- a/afl_state/testcases/f3bd6fa4b553785dc2862ee7e566f03990c125cd1be0cdb05731aeaf0645f8f5
+++ b/afl_state/testcases/f3bd6fa4b553785dc2862ee7e566f03990c125cd1be0cdb05731aeaf0645f8f5
--- a/buffer.cc
+++ b/buffer.cc
@@ -9,7 +9,9 @@ size_t ConstBuffer::ReadMaxLen() const {
 }

 const char *ConstBuffer::Read(size_t len) {
-	CHECK_LE(len, ReadMaxLen());
+	if (ReadMaxLen() < len) {
+		return nullptr;
+	}
 	const auto *ret = &const_buf_[start_];
 	start_ += len;
 	return ret;
--- a/fastcgi_conn.cc
+++ b/fastcgi_conn.cc
@@ -82,8 +82,25 @@ int FastCGIConn::Read() {
 				ConstBuffer param_buf(buf_.Read(header->ContentLength()), header->ContentLength());
 				while (param_buf.ReadMaxLen() > 0) {
 					const auto *param_header = param_buf.ReadObj<FastCGIParamHeader>();
-					std::string_view key(param_buf.Read(param_header->key_length), param_header->key_length);
-					std::string_view value(param_buf.Read(param_header->value_length), param_header->value_length);
+					if (!param_header) {
+						LOG(ERROR) << "FCGI_PARAMS missing header";
+						return sock_;
+					}
+
+					const auto *key_buf = param_buf.Read(param_header->key_length);
+					if (!key_buf) {
+						LOG(ERROR) << "FCGI_PARAMS missing key";
+						return sock_;
+					}
+					std::string_view key(key_buf, param_header->key_length);
+
+					const auto *value_buf = param_buf.Read(param_header->value_length);
+					if (!value_buf) {
+						LOG(ERROR) << "FCGI_PARAMS missing value";
+						return sock_;
+					}
+					std::string_view value(value_buf, param_header->value_length);
+
 					if (headers_.find(key) != headers_.end()) {
 						request_->AddParam(key, value);
 					}