Skip to content

[NRBF] Fix bugs discovered by the fuzzer #107368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
buyaa-n merged 8 commits into from
Sep 6, 2024
Merged

[NRBF] Fix bugs discovered by the fuzzer #107368

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
ed757b2
bug #1: don't allow for values out of the SerializationRecordType enu…
adamsitnik Sep 4, 2024
29f913a
bug #2: throw SerializationException rather than KeyNotFoundException…
adamsitnik Sep 4, 2024
bc3f715
bug #3: throw SerializationException rather than FormatException when…
adamsitnik Sep 4, 2024
65c025d
bug #4: document the fact that IOException can be thrown
adamsitnik Sep 5, 2024
a2a7a3f
bug #5: throw SerializationException rather than OverflowException wh…
adamsitnik Sep 5, 2024
acfd78e
bug #6: 0 and 17 are illegal values for PrimitiveType enum
adamsitnik Sep 6, 2024
8b34191
Merge remote-tracking branch 'upstream/main' into nrbfFuzzer
adamsitnik Sep 6, 2024
9ecc6c8
bug #7: throw SerializationException when a surrogate character is re…
adamsitnik Sep 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
bug #3: throw SerializationException rather than FormatException when… 
… it's being thrown by BinaryReader (or sth else that we use)
  • Loading branch information
@adamsitnik
adamsitnik committed Sep 4, 2024
commit bc3f71555d96556806a084f4e898b2a770465fd8
3 changes: 3 additions & 0 deletions src/libraries/System.Formats.Nrbf/src/Resources/Strings.resx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,4 +162,7 @@
<data name="Serialization_InvalidAssemblyName" xml:space="preserve">
<value>Invalid assembly name: `{0}`.</value>
</data>
<data name="Serialization_InvalidFormat" xml:space="preserve">
<value>Invalid format.</value>
</data>
</root>
9 changes: 8 additions & 1 deletion src/libraries/System.Formats.Nrbf/src/System/Formats/Nrbf/NrbfDecoder.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,14 @@ public static SerializationRecord Decode(Stream payload, out IReadOnlyDictionary
#endif

using BinaryReader reader = new(payload, ThrowOnInvalidUtf8Encoding, leaveOpen: leaveOpen);
return Decode(reader, options ?? new(), out recordMap);
try
{
return Decode(reader, options ?? new(), out recordMap);
}
catch (FormatException) // can be thrown by various BinaryReader methods
Copy link
Contributor

@teo-tsirpanis teo-tsirpanis Sep 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pass to inner exception?

Copy link
Member Author

@adamsitnik adamsitnik Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't do that on purpose, to avoid leaking any information from the inner exception that could be attacker controlled (like some weird string that could somehow affect the log file).

Copy link
Member Author

@adamsitnik adamsitnik Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @GrabYourPitchforks

{
throw new SerializationException(SR.Serialization_InvalidFormat);
}
}

/// <summary>
Expand Down
21 changes: 21 additions & 0 deletions src/libraries/System.Formats.Nrbf/tests/InvalidInputTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -516,4 +516,25 @@ public void MissingRootRecord()

Assert.Throws<SerializationException>(() => NrbfDecoder.Decode(stream));
}

[Fact]
public void Invalid7BitEncodedStringLength()
{
// The highest bit of the last byte is set (so it's invalid).
byte[] invalidLength = [byte.MaxValue, byte.MaxValue, byte.MaxValue, byte.MaxValue, byte.MaxValue];

using MemoryStream stream = new();
BinaryWriter writer = new(stream, Encoding.UTF8);

WriteSerializedStreamHeader(writer);
writer.Write((byte)SerializationRecordType.BinaryObjectString);
writer.Write(1); // root record Id
writer.Write(invalidLength); // the length prefix
writer.Write(Encoding.UTF8.GetBytes("theString"));
writer.Write((byte)SerializationRecordType.MessageEnd);

stream.Position = 0;

Assert.Throws<SerializationException>(() => NrbfDecoder.Decode(stream));
}
}