Check valid parent selection hash string#12985
Check valid parent selection hash string#12985serrislew wants to merge 2 commits intoapache:masterfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR addresses a reported memory-safety issue in ATS parent selection parsing by adding validation for the optional &hash portion of parent entries, preventing oversized hash strings from being copied into fixed-size buffers.
Changes:
- Add a length check for the optional parent
&hashstring duringParentRecord::ProcessParents()parsing. - Fail parsing with a specific error when the hash string exceeds the allowed maximum.
| if (tmp3 && strlen(tmp3) > MAXDNAME) { | ||
| errPtr = "Parent hash_string is too long"; | ||
| goto MERROR; |
There was a problem hiding this comment.
The new length guard is off by one because tmp3 points at the '&' separator while the destination buffer is hash_string[MAXDNAME + 1] and the copy size is strlen(tmp3) (which includes the '&'). As written, a hash string of exactly MAXDNAME bytes (valid for MAXDNAME + 1 buffer including NUL) is rejected. Consider validating against strlen(tmp3) > MAXDNAME + 1 (copy size) or checking strlen(tmp3 + 1) > MAXDNAME (hash-string payload), and reuse the computed length for the subsequent memcpy.
| if (tmp3 && strlen(tmp3) > MAXDNAME) { | ||
| errPtr = "Parent hash_string is too long"; | ||
| goto MERROR; | ||
| } |
There was a problem hiding this comment.
This adds new input validation for '&hash' tokens but there’s no regression coverage for the new failure mode or the boundary condition (hash length == MAXDNAME). Since this file already contains EXCLUSIVE_REGRESSION_TEST(PARENTSELECTION), please add a test that exercises an overlong hash string (expecting the parse to fail with the new error) and a max-length hash string (expecting it to be accepted).
Resolves #12973 by checking parent hash string length