WIP: Avoid potential DoS with high compression

Signed-off-by: Sergio Arroutbi <[email protected]>
latchset · May 14, 2024 · 6655ee7 · 6655ee7
1 parent 76ec70b
commit 6655ee7
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 0 deletions.
diff --git a/lib/jwe.c b/lib/jwe.c
@@ -28,6 +28,8 @@
 
 #include <unistd.h>
 
+#define MAX_COMPRESSED_SIZE (256*1024)
+
 static bool
 jwe_hdr_set_new(json_t *jwe, const char *name, json_t *value)
 {
@@ -357,6 +359,11 @@ jose_jwe_dec(jose_cfg_t *cfg, const json_t *jwe, const json_t *rcp,
 {
  json_auto_t *cek = NULL;
 
+ if (ptl && *ptl > MAX_COMPRESSED_SIZE) {
+ jose_cfg_err(cfg, JOSE_CFG_ERR_JWK_DENIED, "Maximum decompression size reached");
+ return NULL;
+ }
+
  cek = jose_jwe_dec_jwk(cfg, jwe, rcp, jwk);
  if (!cek)
  return NULL;

diff --git a/lib/zlib/deflate.c b/lib/zlib/deflate.c
@@ -23,8 +23,11 @@
 #define containerof(ptr, type, member) \
  ((type *)((char *) ptr - offsetof(type, member)))
 
+static size_t MAX_COMPRESSED_SIZE = (256*1024);
+
 static size_t SIZE = 4096;
 
+
 typedef struct {
  jose_io_t io;
  jose_io_t *next;
@@ -34,6 +37,9 @@ typedef struct {
 static bool
 feed(jose_io_t *io, const void *in, size_t len, typeof(deflate) *func)
 {
+ if (len > MAX_COMPRESSED_SIZE) {
+ return false;
+ }
  io_t *i = containerof(io, io_t, io);
 
  i->strm.next_in = (void *) in;

diff --git a/tests/alg_comp.c b/tests/alg_comp.c
@@ -19,6 +19,7 @@
 #include <jose/jose.h>
 #include <assert.h>
 #include <string.h>
+#include <stdlib.h>
 
 const struct {
  const char *alg;
@@ -41,6 +42,53 @@ const struct {
  {}
 };
 
+static uint8_t* get_random_string(uint32_t length)
+{
+ assert(length);
+ uint8_t* c = (uint8_t*)malloc(length*sizeof(uint8_t));
+ for (uint32_t i=0; i<length; i++) {
+ c[i] = 'A' + (random() % 26);
+ }
+ return c;
+}
+
+static void
+test_long_string(size_t inputlen) {
+ jose_io_auto_t *b = NULL;
+ jose_io_auto_t *c = NULL;
+ jose_io_auto_t *z = NULL;
+ void *buf1 = NULL;
+ void *buf2 = NULL;
+ size_t blen = 0;
+ size_t clen = 0;
+ const jose_hook_alg_t *a = jose_hook_alg_find(JOSE_HOOK_ALG_KIND_COMP, "DEF");
+ uint8_t* str = get_random_string(inputlen);
+
+
+ /* Test compression first. */
+ b = jose_io_malloc(NULL, &buf1, &blen);
+ assert(b);
+ z = a->comp.def(a, NULL, b);
+ assert(z);
+
+ assert(z->feed(z, str, inputlen));
+ assert(z->done(z));
+
+ /* Test decompression now. */
+ c = jose_io_malloc(NULL, &buf2, &clen);
+ assert(b);
+ z = a->comp.inf(a, NULL, c);
+ assert(z);
+ assert(z->feed(z, buf1, blen));
+ assert(z->done(z));
+
+ /* Compare the final output with the original input. */
+ assert(clen == inputlen);
+ assert(memcmp(buf2, str, inputlen) == 0);
+
+ free(str);
+}
+
 static void
 test(const jose_hook_alg_t *a, bool iter,
  const uint8_t *i, size_t il)
@@ -119,5 +167,8 @@ main(int argc, char *argv[])
  tst_inf, sizeof(tst_inf));
  }
 
+ test_long_string(200000); // inside limits
+ // test_long_string(300000); // outside limits
+
  return EXIT_SUCCESS;
 }
diff --git a/tests/api_jwe.c b/tests/api_jwe.c
@@ -43,6 +43,15 @@ dec(json_t *jwe, json_t *jwk)
  return ret;
 }
 
+static char* get_string(uint32_t length, char fill) {
+ assert(length);
+ char* c = (char*)malloc(length*sizeof(char));
+ for (uint32_t i=0; i<length; i++) {
+ c[i] = fill;
+ }
+ return c;
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -98,5 +107,13 @@ main(int argc, char *argv[])
  assert(dec(jwe, set1));
  assert(dec(jwe, set2));
 
+ char* long_str_300k = get_string(300000, 'a');
+ json_decref(jwe);
+ assert((jwe = json_object()));
+ assert(jose_jwe_enc(NULL, jwe, NULL, jwke, long_str_300k, 300000));
+ assert(!dec(jwe, jwke));
+ free(long_str_300k);
+ json_decref(jwe);
+
  return EXIT_SUCCESS;
 }