WIP: Avoid potential DoS with high compression

Signed-off-by: Sergio Arroutbi <[email protected]>

Author: sarroutbi

lib/jwe.c

@@ -28,6 +28,8 @@
 
 #include <unistd.h>
 
+#define MAX_COMPRESSED_SIZE (256*1024)
+
 static bool
 jwe_hdr_set_new(json_t *jwe, const char *name, json_t *value)
 {
@@ -357,6 +359,11 @@ jose_jwe_dec(jose_cfg_t *cfg, const json_t *jwe, const json_t *rcp,
 {
     json_auto_t *cek = NULL;
 
+    if (ptl && *ptl > MAX_COMPRESSED_SIZE) {
+        jose_cfg_err(cfg, JOSE_CFG_ERR_JWK_DENIED, "Maximum decompression size reached");
+        return NULL;
+    }
+
     cek = jose_jwe_dec_jwk(cfg, jwe, rcp, jwk);
     if (!cek)
         return NULL;

lib/zlib/deflate.c

@@ -23,8 +23,11 @@
 #define containerof(ptr, type, member) \
     ((type *)((char *) ptr - offsetof(type, member)))
 
+static size_t MAX_COMPRESSED_SIZE = (256*1024);
+
 static size_t SIZE = 4096;
 
+
 typedef struct {
     jose_io_t io;
     jose_io_t *next;
@@ -34,6 +37,9 @@ typedef struct {
 static bool
 feed(jose_io_t *io, const void *in, size_t len, typeof(deflate) *func)
 {
+    if (len > MAX_COMPRESSED_SIZE) {
+        return false;
+    }
     io_t *i = containerof(io, io_t, io);
 
     i->strm.next_in = (void *) in;

tests/alg_comp.c

@@ -19,6 +19,7 @@
 #include <jose/jose.h>
 #include <assert.h>
 #include <string.h>
+#include <stdlib.h>
 
 const struct {
     const char *alg;
@@ -41,6 +42,53 @@ const struct {
     {}
 };
 
+static uint8_t* get_random_string(uint32_t length)
+{
+    assert(length);
+    uint8_t* c = (uint8_t*)malloc(length*sizeof(uint8_t));
+    for (uint32_t i=0; i<length; i++) {
+        c[i] = 'A' + (random() % 26);
+    }
+    return c;
+}
+
+static void
+test_long_string(size_t inputlen) {
+    jose_io_auto_t *b = NULL;
+    jose_io_auto_t *c = NULL;
+    jose_io_auto_t *z = NULL;
+    void *buf1 = NULL;
+    void *buf2 = NULL;
+    size_t blen = 0;
+    size_t clen = 0;
+    const jose_hook_alg_t *a = jose_hook_alg_find(JOSE_HOOK_ALG_KIND_COMP, "DEF");
+    uint8_t* str = get_random_string(inputlen);
+
+
+    /* Test compression first. */
+    b = jose_io_malloc(NULL, &buf1, &blen);
+    assert(b);
+    z = a->comp.def(a, NULL, b);
+    assert(z);
+
+    assert(z->feed(z, str, inputlen));
+    assert(z->done(z));
+
+    /* Test decompression now. */
+    c = jose_io_malloc(NULL, &buf2, &clen);
+    assert(b);
+    z = a->comp.inf(a, NULL, c);
+    assert(z);
+    assert(z->feed(z, buf1, blen));
+    assert(z->done(z));
+
+    /* Compare the final output with the original input. */
+    assert(clen == inputlen);
+    assert(memcmp(buf2, str, inputlen) == 0);
+
+    free(str);
+}
+
 static void
 test(const jose_hook_alg_t *a, bool iter,
      const uint8_t *i, size_t il)
@@ -119,5 +167,8 @@ main(int argc, char *argv[])
              tst_inf, sizeof(tst_inf));
     }
 
+    test_long_string(200000); // inside limits
+    // test_long_string(300000); // outside limits
+
     return EXIT_SUCCESS;
 }

tests/api_jwe.c

@@ -43,6 +43,15 @@ dec(json_t *jwe, json_t *jwk)
     return ret;
 }
 
+static char* get_string(uint32_t length, char fill) {
+    assert(length);
+    char* c = (char*)malloc(length*sizeof(char));
+    for (uint32_t i=0; i<length; i++) {
+        c[i] = fill;
+    }
+    return c;
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -98,5 +107,13 @@ main(int argc, char *argv[])
     assert(dec(jwe, set1));
     assert(dec(jwe, set2));
 
+    char* long_str_300k = get_string(300000, 'a');
+    json_decref(jwe);
+    assert((jwe = json_object()));
+    assert(jose_jwe_enc(NULL, jwe, NULL, jwke, long_str_300k, 300000));
+    assert(!dec(jwe, jwke));
+    free(long_str_300k);
+    json_decref(jwe);
+
     return EXIT_SUCCESS;
 }