diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-12-19 13:08:56 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-12-20 10:11:07 +0000 |
commit | ecf956cc0aa45a4bb64f32d66e6dac48a0144011 (patch) | |
tree | 152ea5532b165f3acfe0b7fac7f6557bf39f5ec1 | |
parent | 224acc295777ea2cf642842cebbd6df86ad2c888 (diff) | |
download | qtwebengine-chromium-ecf956cc0aa45a4bb64f32d66e6dac48a0144011.tar.gz |
[Backport] Fix OOB Write in QuicStreamSequencerBuffer::OnStreamData
BUG=778505
TBR=rch@chromium.org
Reviewed-on: https://chromium-review.googlesource.com/748282
Reviewed-on: https://chromium-review.googlesource.com/755001
(CVE-2017-15407)
Change-Id: Ia563451918e62e5d81d24f1d47c40c5210bb840e
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/net/quic/core/quic_stream_sequencer_buffer.cc | 8 | ||||
-rw-r--r-- | chromium/net/quic/core/quic_stream_sequencer_buffer_test.cc | 15 |
2 files changed, 21 insertions, 2 deletions
diff --git a/chromium/net/quic/core/quic_stream_sequencer_buffer.cc b/chromium/net/quic/core/quic_stream_sequencer_buffer.cc index 3706d38805c..46defd0605f 100644 --- a/chromium/net/quic/core/quic_stream_sequencer_buffer.cc +++ b/chromium/net/quic/core/quic_stream_sequencer_buffer.cc @@ -102,7 +102,10 @@ QuicErrorCode QuicStreamSequencerBuffer::OnStreamData( ++current_gap; } - DCHECK(current_gap != gaps_.end()); + if (current_gap == gaps_.end()) { + *error_details = "Received stream data outside of maximum range."; + return QUIC_INTERNAL_ERROR; + } // "duplication": might duplicate with data alread filled,but also might // overlap across different QuicStringPiece objects already written. @@ -138,7 +141,8 @@ QuicErrorCode QuicStreamSequencerBuffer::OnStreamData( } // Write beyond the current range this buffer is covering. - if (offset + size > total_bytes_read_ + max_buffer_capacity_bytes_) { + if (offset + size > total_bytes_read_ + max_buffer_capacity_bytes_ || + offset + size < offset) { *error_details = "Received data beyond available range."; return QUIC_INTERNAL_ERROR; } diff --git a/chromium/net/quic/core/quic_stream_sequencer_buffer_test.cc b/chromium/net/quic/core/quic_stream_sequencer_buffer_test.cc index 88c9a0c391b..344ca583d83 100644 --- a/chromium/net/quic/core/quic_stream_sequencer_buffer_test.cc +++ b/chromium/net/quic/core/quic_stream_sequencer_buffer_test.cc @@ -297,6 +297,21 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataBeyondCapacity) { clock_.ApproximateNow(), &written, &error_details_)); EXPECT_TRUE(helper_->CheckBufferInvariants()); + + // Disallow current_gap != gaps_.end() + EXPECT_EQ(QUIC_INTERNAL_ERROR, + buffer_->OnStreamData(static_cast<QuicStreamOffset>(-1), source, + clock_.ApproximateNow(), &written, + &error_details_)); + EXPECT_TRUE(helper_->CheckBufferInvariants()); + + // Disallow offset + size overflow + source = "bbb"; + EXPECT_EQ(QUIC_INTERNAL_ERROR, + buffer_->OnStreamData(static_cast<QuicStreamOffset>(-2), source, + clock_.ApproximateNow(), &written, + &error_details_)); + EXPECT_TRUE(helper_->CheckBufferInvariants()); EXPECT_EQ(0u, buffer_->BytesBuffered()); } |