Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getUUID allows the user to read unintialised memory #45

Closed
weissi opened this issue Aug 12, 2019 · 0 comments · Fixed by #48
Closed

getUUID allows the user to read unintialised memory #45

weissi opened this issue Aug 12, 2019 · 0 comments · Fixed by #48
Labels
bug Something isn't working

Comments

@weissi
Copy link
Contributor

weissi commented Aug 12, 2019

postgres-nio/Sources/PostgresNIO/Utilities/NIOUtils.swift

Lines 110 to 128 in bfc0a99

func getUUID(at index: Int) -> UUID? {
precondition(index >= 0, "index must not be negative")
return self.withVeryUnsafeBytes { ptr in
guard index <= ptr.count - MemoryLayout<uuid_t>.size else {
return nil
}
var value: uuid_t = (0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
withUnsafeMutableBytes(of: &value) { valuePtr in
valuePtr.copyMemory(
from: UnsafeRawBufferPointer(
start: ptr.baseAddress!.advanced(by: index),
count: MemoryLayout<UUID>.size
)
)
}
return UUID(uuid: value)
}
}
}

The code above allows the user to read uninitialised memory which is a security vulnerability.

A better way to write this function is

    func getUUID(index: Int) -> UUID? {
        var uuid: uuid_t = (0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
        return self.viewBytes(at: index, length: MemoryLayout.size(ofValue: uuid)).map { bufferBytes in
            withUnsafeMutableBytes(of: &uuid) { target in
                precondition(target.count <= bufferBytes.count)
                target.copyBytes(from: bufferBytes)
            }
            return UUID(uuid: uuid)
        }
    }
@weissi weissi mentioned this issue Aug 12, 2019
Closed
@tanner0101 tanner0101 added the bug Something isn't working label Aug 12, 2019
tanner0101 added a commit that referenced this issue Aug 12, 2019
@tanner0101
fix getUUID method, #45
cd7eee2
@tanner0101 tanner0101 mentioned this issue Aug 12, 2019
Merged
tanner0101 added a commit that referenced this issue Aug 12, 2019
@tanner0101
fix incorrect usages of NIO unsafe API (#48)
985a3f5 
* fix string->bytes method, #44

* fix getUUID method, #45

* at label

* better readFloat/Double methods, #46

* remove unused get float/double methods
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix incorrect usages of NIO unsafe API vapor/postgres-nio
2 participants
@weissi @tanner0101