1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
From a9454ae060fffa609cc02b129441679b7d248d8f Mon Sep 17 00:00:00 2001
From: Shane Harvey <shnhrv@gmail.com>
Date: Wed, 27 Mar 2024 16:51:23 -0700
Subject: [PATCH] PYTHON-4305 Fix bson size check (#1564)
CVE: CVE-2024-5629
Upstream-Status: Backport [https://github.com/mongodb/mongo-python-driver/commit/372b5d68d5a57ccc43b33407cd23f0bc79d99283]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
bson/_cbsonmodule.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c
index 1a296db..73370e2 100644
--- a/bson/_cbsonmodule.c
+++ b/bson/_cbsonmodule.c
@@ -2052,6 +2052,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
uint32_t c_w_s_size;
uint32_t code_size;
uint32_t scope_size;
+ uint32_t len;
PyObject* code;
PyObject* scope;
PyObject* code_type;
@@ -2071,7 +2072,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
memcpy(&code_size, buffer + *position, 4);
code_size = BSON_UINT32_FROM_LE(code_size);
/* code_w_scope length + code length + code + scope length */
- if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
+ len = 4 + 4 + code_size + 4;
+ if (!code_size || max < code_size || max < len || len < code_size) {
goto invalid;
}
*position += 4;
@@ -2089,12 +2091,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
memcpy(&scope_size, buffer + *position, 4);
scope_size = BSON_UINT32_FROM_LE(scope_size);
- if (scope_size < BSON_MIN_SIZE) {
- Py_DECREF(code);
- goto invalid;
- }
/* code length + code + scope length + scope */
- if ((4 + code_size + 4 + scope_size) != c_w_s_size) {
+ len = 4 + 4 + code_size + scope_size;
+ if (scope_size < BSON_MIN_SIZE || len != c_w_s_size || len < scope_size) {
Py_DECREF(code);
goto invalid;
}
|
