Skip to content

Commit

Permalink
WIP: Avoid potential DoS with high compression
Browse files Browse the repository at this point in the history
Signed-off-by: Sergio Arroutbi <[email protected]>
  • Loading branch information
sarroutbi committed May 14, 2024
1 parent 76ec70b commit bb50ede
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 0 deletions.
2 changes: 2 additions & 0 deletions lib/hooks.h
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@
#include <jose/jws.h>
#include <jose/jwe.h>

#define MAX_COMPRESSION_SIZE (256*1024)

typedef enum {
JOSE_HOOK_JWK_KIND_NONE = 0,
JOSE_HOOK_JWK_KIND_TYPE,
Expand Down
3 changes: 3 additions & 0 deletions lib/zlib/deflate.c
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@ typedef struct {
static bool
feed(jose_io_t *io, const void *in, size_t len, typeof(deflate) *func)
{
if (len > MAX_COMPRESSION_SIZE) {
return false;
}
io_t *i = containerof(io, io_t, io);

i->strm.next_in = (void *) in;
Expand Down
55 changes: 55 additions & 0 deletions tests/alg_comp.c
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
#include <jose/jose.h>
#include <assert.h>
#include <string.h>
#include <stdlib.h>

const struct {
const char *alg;
Expand All @@ -41,6 +42,56 @@ const struct {
{}
};

static uint8_t* get_random_string(uint32_t length)
{
assert(length);
uint8_t* c = (uint8_t*)malloc(length*sizeof(uint8_t));
for (uint32_t i=0; i<length; i++) {
c[i] = 'A' + (random() % 26);
}
return c;
}

static void
test_long_string(size_t inputlen) {
jose_io_auto_t *b = NULL;
jose_io_auto_t *c = NULL;
jose_io_auto_t *z = NULL;
void *buf1 = NULL;
void *buf2 = NULL;
size_t blen = 0;
size_t clen = 0;
const jose_hook_alg_t *a = jose_hook_alg_find(JOSE_HOOK_ALG_KIND_COMP, "DEF");
uint8_t* str = get_random_string(inputlen);

/* Test compression first. */
b = jose_io_malloc(NULL, &buf1, &blen);
assert(b);
z = a->comp.def(a, NULL, b);
assert(z);

if(inputlen > MAX_COMPRESSION_SIZE) {
assert(!z->feed(z, str, inputlen));
} else {
assert(z->feed(z, str, inputlen));
assert(z->done(z));

/* Test decompression now. */
c = jose_io_malloc(NULL, &buf2, &clen);
assert(b);
z = a->comp.inf(a, NULL, c);
assert(z);
assert(z->feed(z, buf1, blen));
assert(z->done(z));

/* Compare the final output with the original input. */
assert(clen == inputlen);
assert(memcmp(buf2, str, inputlen) == 0);
}

free(str);
}

static void
test(const jose_hook_alg_t *a, bool iter,
const uint8_t *i, size_t il)
Expand Down Expand Up @@ -119,5 +170,9 @@ main(int argc, char *argv[])
tst_inf, sizeof(tst_inf));
}

test_long_string(200000);
test_long_string(MAX_COMPRESSION_SIZE);
test_long_string(300000);

return EXIT_SUCCESS;
}

0 comments on commit bb50ede

Please sign in to comment.