fix overflow in frame decoder

ntex-rs · Dec 3, 2021 · e5fcc1f · e5fcc1f
1 parent cebb3df
commit e5fcc1f
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 3 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,10 @@
 # Changes
 
+
+## [codec-0.7.4] - 2021-12-03
+
+* Fix overflow in frame decoder
+
 ## [0.5.7] - 2021-12-02
 
 * Add memory pools support

diff --git a/codec/Cargo.toml b/codec/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "ntex-amqp-codec"
-version = "0.7.3"
+version = "0.7.4"
 description = "AMQP 1.0 Protocol Codec"
 authors = ["Nikolay Kim <[email protected]>", "Max Gortman <[email protected]>", "Mike Yagley <[email protected]>"]
 license = "MIT/Apache-2.0"

diff --git a/codec/src/error.rs b/codec/src/error.rs
@@ -34,10 +34,12 @@ pub enum AmqpParseError {
 #[derive(Debug, Display, From, Clone)]
 pub enum AmqpCodecError {
     ParseError(AmqpParseError),
-    #[display(fmt = "bytes left unparsed at the frame trail")]
+    #[display(fmt = "Bytes left unparsed at the frame trail")]
     UnparsedBytesLeft,
-    #[display(fmt = "max inbound frame size exceeded")]
+    #[display(fmt = "Max inbound frame size exceeded")]
     MaxSizeExceeded,
+    #[display(fmt = "Invalid inbound frame size")]
+    InvalidFrameSize,
 }
 
 #[derive(Debug, Display, From, Clone)]

diff --git a/codec/src/io.rs b/codec/src/io.rs
@@ -73,6 +73,9 @@ impl<T: Decode + Encode> Decoder for AmqpCodec<T> {
                     if self.max_size != 0 && size > self.max_size {
                         return Err(AmqpCodecError::MaxSizeExceeded);
                     }
+                    if size <= 4 {
+                        return Err(AmqpCodecError::InvalidFrameSize);
+                    }
                     self.state.set(DecodeState::Frame(size - 4));
                     src.advance(4);
 
@@ -162,3 +165,21 @@ impl Encoder for ProtocolIdCodec {
         Ok(())
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    use crate::AmqpFrame;
+
+    #[test]
+    fn test_decode() -> Result<(), AmqpCodecError> {
+        let mut data = BytesMut::from(b"\0\0\0\0\0\0\0\0\0\x06AC@A\0S$\xc0\x01\0B".as_ref());
+
+        let codec = AmqpCodec::<AmqpFrame>::new();
+        let res = codec.decode(&mut data);
+        assert!(matches!(res, Err(AmqpCodecError::InvalidFrameSize)));
+
+        Ok(())
+    }
+}