Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Panic in ParseMessage and newParser()->ReadMessage() due to malformed data #678

Open
pkillarjun opened this issue Nov 4, 2024 · 0 comments · May be fixed by #694
Open

Panic in ParseMessage and newParser()->ReadMessage() due to malformed data #678

pkillarjun opened this issue Nov 4, 2024 · 0 comments · May be fixed by #694

Comments

@pkillarjun
Copy link

Test code for TestParserBug

/* parser_test.go */

func TestParserBug(t *testing.T) {
	parser := newParser(strings.NewReader(string("8=\x019=119999999999999999999999999999999999999999999999999999999999970\x01")))
	_, _ = parser.ReadMessage()
}

Crash stack trace

$ go test -run=TestParserBug .

--- FAIL: TestParserBug (0.00s)
panic: runtime error: slice bounds out of range [-9223372036854775770:] [recovered]
        panic: runtime error: slice bounds out of range [-9223372036854775770:]

goroutine 7 [running]:
testing.tRunner.func1.2({0xae9c40, 0xc00002c4b0})
        /usr/lib/golang/src/testing/testing.go:1632 +0x230
testing.tRunner.func1()
        /usr/lib/golang/src/testing/testing.go:1635 +0x35e
panic({0xae9c40?, 0xc00002c4b0?})
        /usr/lib/golang/src/runtime/panic.go:785 +0x132
github.com/quickfixgo/quickfix.(*parser).findIndexAfterOffset(0xc00007af08, 0x8000000000000026, {0xc00007ae94, 0x4, 0x4})
        /home/cia/Desktop/quickfix/parser.go:83 +0x105
github.com/quickfixgo/quickfix.(*parser).findEndAfterOffset(0xc0001a9f08, 0x0?)
        /home/cia/Desktop/quickfix/parser.go:100 +0x2d
github.com/quickfixgo/quickfix.(*parser).ReadMessage(0xc0001a9f08)
        /home/cia/Desktop/quickfix/parser.go:154 +0x9b
github.com/quickfixgo/quickfix.TestParserBug(0xc0000c2b60?)
        /home/cia/Desktop/quickfix/parser_test.go:192 +0x8e
testing.tRunner(0xc0000c2b60, 0xb76560)
        /usr/lib/golang/src/testing/testing.go:1690 +0xf4
created by testing.(*T).Run in goroutine 1
        /usr/lib/golang/src/testing/testing.go:1743 +0x390
FAIL    github.com/quickfixgo/quickfix  0.008s
FAIL

Test code for TestParseMessageBug

/* message_test.go */

func TestParseMessageBug(t *testing.T) {
	msg := NewMessage()
	_ = ParseMessage(msg, bytes.NewBufferString(string("8=0000000\x01")))
}

Crash stack trace

$ go test -run=TestParseMessageBug .

--- FAIL: TestParseMessageBug (0.00s)
panic: runtime error: index out of range [1] with length 1 [recovered]
        panic: runtime error: index out of range [1] with length 1

goroutine 7 [running]:
testing.tRunner.func1.2({0xae9c40, 0xc00002c528})
        /usr/lib/golang/src/testing/testing.go:1632 +0x230
testing.tRunner.func1()
        /usr/lib/golang/src/testing/testing.go:1635 +0x35e
panic({0xae9c40?, 0xc00002c528?})
        /usr/lib/golang/src/runtime/panic.go:785 +0x132
github.com/quickfixgo/quickfix.doParsing(0xc000091eb0)
        /home/cia/Desktop/quickfix/message.go:216 +0x16ad
github.com/quickfixgo/quickfix.ParseMessageWithDataDictionary(0x1002700?, 0xb36a12?, 0xa?, 0x53b94e?)
        /home/cia/Desktop/quickfix/message.go:179 +0xa8
github.com/quickfixgo/quickfix.ParseMessage(...)
        /home/cia/Desktop/quickfix/message.go:160
github.com/quickfixgo/quickfix.TestParseMessageBug(0xc0000c2b60?)
        /home/cia/Desktop/quickfix/message_test.go:521 +0x215
testing.tRunner(0xc0000c2b60, 0xb76558)
        /usr/lib/golang/src/testing/testing.go:1690 +0xf4
created by testing.(*T).Run in goroutine 1
        /usr/lib/golang/src/testing/testing.go:1743 +0x390
FAIL    github.com/quickfixgo/quickfix  0.008s
FAIL
@pkillarjun pkillarjun mentioned this issue Nov 4, 2024
Open
sylr added a commit to sylr/quickfix-go that referenced this issue Feb 25, 2025
@sylr
Fix int overflow in parser
6459633 
A maliciously crafted message with a bogus body length could make the
parser panic if the body length is closed to the int limit.

Fixes quickfixgo#678

Signed-off-by: Sylvain Rabot <[email protected]>
sylr added a commit to sylr/quickfix-go that referenced this issue Feb 25, 2025
@sylr
Fix int overflow in parser
8095372 
A maliciously crafted message with a bogus body length could make the
parser panic if the body length is close to the int limit.

Fixes quickfixgo#678

Signed-off-by: Sylvain Rabot <[email protected]>
@sylr sylr linked a pull request Feb 25, 2025 that will close this issue
Open
sylr added a commit to sylr/quickfix-go that referenced this issue Feb 25, 2025
@sylr
Fix int overflow in parser
a57f9b5 
A maliciously crafted message with a bogus body length could make the
parser panic if the body length is close to the int limit.

Fixes quickfixgo#678

Signed-off-by: Sylvain Rabot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix int overflow in parser sylr/quickfix-go
1 participant
@pkillarjun