OMPUB-527: 从解密后的client hello负载中解析user agent参数时，未对参数长度负值进行判断导致parse_quic_transport_parameter函数死循环触发sapp的watchdog timeout

2022-06-16 15:39:13 +08:00
parent 98c567cf88
commit ffb443ed7e
2 changed files with 75 additions and 1 deletions
--- a/demo/parse_quic_transport_parameter.cpp
+++ b/demo/parse_quic_transport_parameter.cpp
@@ -0,0 +1,70 @@
+//https://jira.geedge.net/browse/OMPUB-527
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+static int msb2_varint_decode(const unsigned char *buf, long *out)
+{
+	unsigned long val = buf[0] & 0x3f;
+	unsigned int nfollow = 1<<(buf[0]>>6);
+	switch (nfollow-1)
+	{
+         case 7: val = (val << 8) | buf[nfollow - 7]; /*fail through*/
+         case 6: val = (val << 8) | buf[nfollow - 6]; /*fail through*/
+         case 5: val = (val << 8) | buf[nfollow - 5]; /*fail through*/
+         case 4: val = (val << 8) | buf[nfollow - 4]; /*fail through*/
+         case 3: val = (val << 8) | buf[nfollow - 3]; /*fail through*/
+         case 2: val = (val << 8) | buf[nfollow - 2]; /*fail through*/
+         case 1: val = (val << 8) | buf[nfollow-1];
+         case 0: break;
+     }
+	*out=val;
+	
+    return nfollow;
+}
+
+int parse_quic_transport_parameter(const char *quic_para, int quic_para_len, int thread_seq)
+{
+	int one_para_length=0;
+	int para_offset=0;
+	long one_para_type=0;
+	
+	while(quic_para_len > para_offset)
+	{
+		para_offset+=msb2_varint_decode((const unsigned char *)(quic_para+para_offset), &one_para_type);
+		switch(one_para_type)
+		{
+			//case	EXT_QUIC_PARAM_USER_AGENT: // 2021-10-20 deprecated
+			case	0x3129:
+					one_para_length=quic_para[para_offset++]; // length=1
+					if(one_para_length+para_offset>quic_para_len)
+					{
+						return 0;
+					}
+					//para_offset+=copy_extension_tag(quic_para+para_offset, one_para_length, &client_hello->user_agent, thread_seq);
+					return 1;
+			default:
+				one_para_length=(int)(quic_para[para_offset++]); // length=1
+				if(one_para_length<0 || one_para_length>quic_para_len)
+				{
+					break;
+				}
+				para_offset+=one_para_length;
+				break;
+		}
+	}
+
+	return 0;
+}
+
+int main(int argc, char *argv[])
+{
+	char buff1[106]={0x80, 0x0, 0x47, 0x52, 0x4, 0x0, 0x0, 0x0, 0x1, 0x20, 0x4, 0x80, 0x1, 0x0, 0x0, 0xf, 0x0, 0x4, 0x4, 0x80, 0xf0, 0x0, 0x0, 0x8, 0x2, 0x40, 0x64, 0x7, 0x4, 0x80, 0x60, 0x0, 0x0, 0x9, 0x2, 0x40, 0x67, 0x6, 0x4, 0x80, 0x60, 0x0, 0x0, 0x80, 0xff, 0x73, 0xdb, 0xc, 0x0, 0x0, 0x0, 0x1, 0x3a, 0x6a, 0x9b, 0xaa, 0x4f, 0x2f, 0xbd, 0xc, 0xd5, 0xe2, 0xae, 0x32, 0x45, 0x6, 0x2e, 0xf, 0xc5, 0x82, 0x94, 0x3d, 0x5d, 0xb2, 0x69, 0x2c, 0x25, 0xbd, 0xd5, 0x85, 0x99, 0x72, 0xeb, 0x3, 0x2, 0x45, 0xc0, 0x1, 0x4, 0x80, 0x0, 0x75, 0x30, 0x71, 0x28, 0x4, 0x52, 0x56, 0x43, 0x4d, 0x5, 0x4, 0x80, 0x60, 0x0, 0x0};
+	char buff2[99]={0x71, 0x27, 0x4, 0x80, 0x2, 0xa5, 0xb2, 0xe4, 0xcf, 0x74, 0x5b, 0xf5, 0x6, 0x41, 0x20, 0x0, 0x8, 0x2, 0x40, 0x64, 0x4, 0x4, 0x80, 0xd4, 0x9f, 0xb7, 0x6f, 0xdf, 0xed, 0x48, 0x94, 0x18, 0xd7, 0x53, 0xf7, 0x92, 0x6, 0x94, 0xa0, 0x0, 0x0, 0x1, 0x4, 0x80, 0x0, 0x75, 0x30, 0xf, 0x0, 0x80, 0xff, 0x73, 0xdb, 0xc, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8a, 0x7a, 0x8a, 0x3a, 0x9, 0x2, 0x40, 0x67, 0x3, 0x2, 0x45, 0xc0, 0x5, 0x4, 0x80, 0x60, 0x0, 0x0, 0x71, 0x28, 0x4, 0x52, 0x56, 0x43, 0x4d, 0x20, 0x4, 0x80, 0x1, 0x0, 0x0, 0x7, 0x4, 0x80, 0x60, 0x0, 0x0};
+	
+	parse_quic_transport_parameter(buff1, 106, 0);
+	parse_quic_transport_parameter(buff2, 99, 0);
+
+	return 0;
+}
--- a/src/quic_process.cpp
+++ b/src/quic_process.cpp
@@ -376,7 +376,11 @@ int parse_quic_transport_parameter(struct quic_client_hello *client_hello, const
 					para_offset+=copy_extension_tag(quic_para+para_offset, one_para_length, &client_hello->user_agent, thread_seq);
 					return 1;
 			default:
-				one_para_length=quic_para[para_offset++]; // length=1
+				one_para_length=(int)(quic_para[para_offset++]); // length=1
+				if(one_para_length<0 || one_para_length>quic_para_len)
+				{
+					break;
+				}
 				para_offset+=one_para_length;
 				break;
 		}