fix: make sure bitfield is within limits (#535)

vmx · web-flow · commit c4f4acbe4f02 · 2022-05-11T17:36:09.000-04:00
Error if one tries to decode a bitfield that is too large.
diff --git a/ipld/bitfield/src/lib.rs b/ipld/bitfield/src/lib.rs
@@ -21,6 +21,12 @@ pub use rleplus::Error;
 use thiserror::Error;
 pub use unvalidated::{UnvalidatedBitField, Validate};
 
+/// MaxEncodedSize is the maximum encoded size of a bitfield. When expanded into
+/// a slice of runs, a bitfield of this size should not exceed 2MiB of memory.
+///
+/// This bitfield can fit at least 3072 sparse elements.
+pub(crate) const MAX_ENCODED_SIZE: usize = 32 << 10;
+
 #[derive(Clone, Error, Debug)]
 #[error("bitfields may not include u64::MAX")]
 pub struct OutOfRangeError;
diff --git a/ipld/bitfield/src/rleplus/mod.rs b/ipld/bitfield/src/rleplus/mod.rs
@@ -75,13 +75,7 @@ use serde::{Deserialize, Deserializer, Serialize, Serializer};
 pub use writer::BitWriter;
 
 use super::BitField;
-use crate::RangeSize;
-
-// MaxEncodedSize is the maximum encoded size of a bitfield. When expanded into
-// a slice of runs, a bitfield of this size should not exceed 2MiB of memory.
-//
-// This bitfield can fit at least 3072 sparse elements.
-const MAX_ENCODED_SIZE: usize = 32 << 10;
+use crate::{RangeSize, MAX_ENCODED_SIZE};
 
 impl Serialize for BitField {
     fn serialize<S>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error>
diff --git a/ipld/bitfield/src/unvalidated.rs b/ipld/bitfield/src/unvalidated.rs
@@ -7,7 +7,7 @@ use fvm_ipld_encoding::serde_bytes;
 use serde::{Deserialize, Deserializer, Serialize};
 
 use super::BitField;
-use crate::Error;
+use crate::{Error, MAX_ENCODED_SIZE};
 
 /// A trait for types that can produce a `&BitField` (or fail to do so).
 /// Generalizes over `&BitField` and `&mut UnvalidatedBitField`.
@@ -77,6 +77,12 @@ impl<'de> Deserialize<'de> for UnvalidatedBitField {
         D: Deserializer<'de>,
     {
         let bytes: Vec<u8> = serde_bytes::deserialize(deserializer)?;
+        if bytes.len() > MAX_ENCODED_SIZE {
+            return Err(serde::de::Error::custom(format!(
+                "encoded bitfield was too large {}",
+                bytes.len()
+            )));
+        }
         Ok(Self::Unvalidated(bytes))
     }
 }
diff --git a/ipld/bitfield/tests/bitfield_tests.rs b/ipld/bitfield/tests/bitfield_tests.rs
@@ -3,7 +3,7 @@
 
 use std::collections::HashSet;
 
-use fvm_ipld_bitfield::{bitfield, BitField};
+use fvm_ipld_bitfield::{bitfield, BitField, UnvalidatedBitField};
 use rand::{Rng, SeedableRng};
 use rand_xorshift::XorShiftRng;
 
@@ -232,3 +232,67 @@ fn exceeds_bitfield_range() {
     BitField::try_from_bits([0, 1, 4, 99, u64::MAX - 1])
         .expect("expected setting u64::MAX-1 to succeed");
 }
+
+#[test]
+fn bitfield_custom() {
+    let mut bf = BitField::new();
+
+    // Set alternating bits for worst-case size performance
+    let mut i = 0;
+    while i < 1_000_000 {
+        bf.set(i);
+        i += 2;
+    }
+    println!("# Set bits: {}", bf.len());
+
+    // Standard serialization catches MAX_ENCODING_SIZE issues
+    println!("Attempting to serialize...");
+    match fvm_ipld_encoding::to_vec(&bf) {
+        Ok(_) => panic!("This should have failed!"),
+        Err(_) => println!("Standard serialization failed, as expected"),
+    }
+
+    // Bypass to_vec enc size check so we can test deserialization
+    println!("Manually serializing...");
+    // CBOR prefix for the bytes
+    let mut cbor = vec![0x5A, 0x00, 0x01, 0xE8, 0x49];
+    cbor.extend_from_slice(&bf.to_bytes());
+    println!("Success!");
+
+    println!("# bytes of cbor: {}", cbor.len());
+    println!("Header: {:#010b}", cbor[0]);
+    println!("-- maj type {}", (cbor[0] & 0xe0) >> 5);
+
+    // Get size of payload size
+    let info = cbor[0] & 0x1f;
+    println!("-- adtl info {}", info);
+
+    // Get payload size
+    let size = match info {
+        0..=23 => info as usize,
+        24 => cbor[1] as usize,
+        25 => u16::from_be_bytes([cbor[1], cbor[2]]) as usize,
+        26 => u32::from_be_bytes([cbor[1], cbor[2], cbor[3], cbor[4]]) as usize,
+        27 => u64::from_be_bytes([
+            cbor[1], cbor[2], cbor[3], cbor[4], cbor[5], cbor[6], cbor[7], cbor[8],
+        ]) as usize,
+        _ => {
+            println!("OUT OF RANGE");
+            0
+        }
+    };
+
+    println!("{} byte payload", size);
+
+    // Deserialize and validate malicious payload
+    println!("Attempting to deserialize and validate...");
+    match fvm_ipld_encoding::from_slice::<UnvalidatedBitField>(&cbor) {
+        Ok(mut bitfield) => {
+            bitfield.validate_mut().unwrap();
+            panic!("Error - deserialized/validated payload over 32768 bytes.");
+        }
+        Err(_) => {
+            println!("Success - payload over 32768 bytes cannot be deserialized");
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ use fvm_ipld_encoding::serde_bytes;`
`7`	`7`	`use serde::{Deserialize, Deserializer, Serialize};`
`8`	`8`
`9`	`9`	`use super::BitField;`
`10`		`-use crate::Error;`
	`10`	`+use crate::{Error, MAX_ENCODED_SIZE};`
`11`	`11`
`12`	`12`	/// A trait for types that can produce a `&BitField` (or fail to do so).
`13`	`13`	/// Generalizes over `&BitField` and `&mut UnvalidatedBitField`.
`@@ -77,6 +77,12 @@ impl<'de> Deserialize<'de> for UnvalidatedBitField {`
`77`	`77`	`D: Deserializer<'de>,`
`78`	`78`	`{`
`79`	`79`	`let bytes: Vec<u8> = serde_bytes::deserialize(deserializer)?;`
	`80`	`+ if bytes.len() > MAX_ENCODED_SIZE {`
	`81`	`+ return Err(serde::de::Error::custom(format!(`
	`82`	`+ "encoded bitfield was too large {}",`
	`83`	`+ bytes.len()`
	`84`	`+ )));`
	`85`	`+ }`
`80`	`86`	`Ok(Self::Unvalidated(bytes))`
`81`	`87`	`}`
`82`	`88`	`}`