Ekaterina Zilotina created DIRSERVER-2406:
---------------------------------------------
Summary: Exceptions in DhcpMessageDecoder
Key: DIRSERVER-2406
URL: https://issues.apache.org/jira/browse/DIRSERVER-2406
Project: Directory ApacheDS
Issue Type: Bug
Reporter: Ekaterina Zilotina
Attachments: DecodeFuzzer.java.txt, jazzer_output.txt, samples.tgz
Class: DhcpMessageDecoder
Method: decode()
In result of fuzzing tests of function decode() there are some unhandled
exceptions:
# BufferUnderflowException in methods
[ByteBuffer.get()|https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/nio/ByteBuffer.html#get()]
,
[ByteBuffer.getInt()|https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/nio/ByteBuffer.html#getInt()]
,
[ByteBuffer.getShort()|https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/nio/ByteBuffer.html#getShort()].
These methods also are using in other DhcpMessageDecoder methods like
decodeOptions(), decodeString(), decodeAddress(), where jazzer found
BufferUnderflowException too.
# ArrayIndexOutOfBoundsException [in method
decodeString()|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/protocol-dhcp/src/main/java/org/apache/directory/server/dhcp/io/DhcpMessageDecoder.java#L109]
# NegativeArraySizeException [in method
decodeOptions()|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/protocol-dhcp/src/main/java/org/apache/directory/server/dhcp/io/DhcpMessageDecoder.java#L183]
this may not pose a threat to apacheds, but there is no handling in this area
of code. Perhaps you should add another exception types (or base Exception)
to the decode() function signature, or wrap the specified methods in try/catch
blocks. Crash samples, fuzz test and part of jazzer log are below
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
