[jira] [Created] (DIRSERVER-2406) Exceptions in DhcpMessageDecoder

Thu, 18 Jul 2024 01:34:22 -0700 

Ekaterina Zilotina created DIRSERVER-2406:
---------------------------------------------

             Summary: Exceptions in DhcpMessageDecoder
                 Key: DIRSERVER-2406
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2406
             Project: Directory ApacheDS
          Issue Type: Bug
            Reporter: Ekaterina Zilotina
         Attachments: DecodeFuzzer.java.txt, jazzer_output.txt, samples.tgz

Class: DhcpMessageDecoder
Method: decode()

In result of fuzzing tests of function decode() there are some unhandled 
exceptions:
 # BufferUnderflowException in methods 
[ByteBuffer.get()|https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/nio/ByteBuffer.html#get()]
 , 
[ByteBuffer.getInt()|https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/nio/ByteBuffer.html#getInt()]
 , 
[ByteBuffer.getShort()|https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/nio/ByteBuffer.html#getShort()].
 These methods also are using in other DhcpMessageDecoder methods like 
decodeOptions(), decodeString(), decodeAddress(), where jazzer found 
BufferUnderflowException too.
 # ArrayIndexOutOfBoundsException [in method 
decodeString()|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/protocol-dhcp/src/main/java/org/apache/directory/server/dhcp/io/DhcpMessageDecoder.java#L109]
 # NegativeArraySizeException [in method 
decodeOptions()|https://github.com/apache/directory-server/blob/8c9b56bdcc0703b04b8e2dbdc4f045ed5d83a064/protocol-dhcp/src/main/java/org/apache/directory/server/dhcp/io/DhcpMessageDecoder.java#L183]

this may not pose a threat to apacheds, but there is no handling in this area 
of ​​code. Perhaps you should add another exception types (or base Exception) 
to the decode() function signature, or wrap the specified methods in try/catch 
blocks. Crash samples, fuzz test and part of jazzer log are below



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org

Reply via email to