inspector: prevent integer overflow in open()

tniessen · RafaelGSS · commit 2ed3b30696f5 · 2022-09-05T11:32:56.000-03:00
PR-URL: #44367 Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Kohei Ueno <kohei.ueno119@gmail.com>
diff --git a/lib/inspector.js b/lib/inspector.js
@@ -25,7 +25,9 @@ if (!hasInspector)
 const EventEmitter = require('events');
 const { queueMicrotask } = require('internal/process/task_queues');
 const {
+  isUint32,
   validateFunction,
+  validateInt32,
   validateObject,
   validateString,
 } = require('internal/validators');
@@ -168,6 +170,13 @@ function inspectorOpen(port, host, wait) {
   if (isEnabled()) {
     throw new ERR_INSPECTOR_ALREADY_ACTIVATED();
   }
+  // inspectorOpen() currently does not typecheck its arguments and adding
+  // such checks would be a potentially breaking change. However, the native
+  // open() function requires the port to fit into a 16-bit unsigned integer,
+  // causing an integer overflow otherwise, so we at least need to prevent that.
+  if (isUint32(port)) {
+    validateInt32(port, 'port', 0, 65535);
+  }
   open(port, host);
   if (wait)
     waitForDebugger();
diff --git a/src/inspector_js_api.cc b/src/inspector_js_api.cc
@@ -281,6 +281,7 @@ void Open(const FunctionCallbackInfo<Value>& args) {
 
   if (args.Length() > 0 && args[0]->IsUint32()) {
     uint32_t port = args[0].As<Uint32>()->Value();
+    CHECK_LE(port, std::numeric_limits<uint16_t>::max());
     ExclusiveAccess<HostPort>::Scoped host_port(agent->host_port());
     host_port->set_port(static_cast<int>(port));
   }
diff --git a/test/parallel/test-inspector-open-port-integer-overflow.js b/test/parallel/test-inspector-open-port-integer-overflow.js
@@ -0,0 +1,17 @@
+'use strict';
+
+// Regression test for an integer overflow in inspector.open() when the port
+// exceeds the range of an unsigned 16-bit integer.
+
+const common = require('../common');
+common.skipIfInspectorDisabled();
+common.skipIfWorker();
+
+const assert = require('assert');
+const inspector = require('inspector');
+
+assert.throws(() => inspector.open(99999), {
+  name: 'RangeError',
+  code: 'ERR_OUT_OF_RANGE',
+  message: 'The value of "port" is out of range. It must be >= 0 && <= 65535. Received 99999'
+});

Original file line number	Diff line number	Diff line change
`@@ -281,6 +281,7 @@ void Open(const FunctionCallbackInfo<Value>& args) {`
`281`	`281`
`282`	`282`	`if (args.Length() > 0 && args[0]->IsUint32()) {`
`283`	`283`	`uint32_t port = args[0].As<Uint32>()->Value();`
	`284`	`+ CHECK_LE(port, std::numeric_limits<uint16_t>::max());`
`284`	`285`	`ExclusiveAccess<HostPort>::Scoped host_port(agent->host_port());`
`285`	`286`	`host_port->set_port(static_cast<int>(port));`
`286`	`287`	`}`