Uploaded image for project: 'Couchbase Gateway'
  1. Couchbase Gateway
  2. CBG-3240

[3.0.9 Backport] Explicit check on xattr length to avoid panics

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • 3.0.9
    • 2.8.3, 3.1.0, 3.1.1
    • SyncGateway
    • Security Level: Public
    • None
    • CBG Sprint 136
    • 1

    Description

      In https://github.com/couchbase/sync_gateway/blob/master/db/document.go#L519 

      body = data[xattrsLen+4:] can panic in some cases where KV sends a malformed xattr content over DCP.

      An explicit check on xattr length is needed to avoid this panic

      Another related panic can occur on 

      pairLen := binary.BigEndian.Uint32(data[pos : pos+4])

      can be reproduced with the last test case on TestParseXattr with 

      emptyBody, emptyXattr, _, emptyErr := parseXattrStreamData(base.SyncXattrName, "", []byte{math.MaxUint8, math.MaxUint8, math.MaxUint8, math.MaxUint8})

      but can also be avoided by checking xattr length before the body assignment. Could use that test to test the panic doesn't occur after adding a check.

      Attachments

        Issue Links

          Clones

          Bug - A problem which impairs or prevents the functions of the product. CBG-3238 Explicit check on xattr length to avoid panics

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              tor.colvin Tor Colvin
              ben.brooks Ben Brooks
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                PagerDuty