From 0d4f0f6adc789af31518f2d6c121922b51140607 Mon Sep 17 00:00:00 2001 From: Bryan Roe Date: Fri, 26 Jun 2020 23:10:43 -0700 Subject: [PATCH] 1. Implemented missing event 'net.server.connect' 2. Added integer overflow checks on ILibMemory operations 3. Added better bounds checking for DNS resolve and PE header parsing --- meshconsole/main.c | 27 -------- meshcore/agentcore.c | 43 +++++++----- meshservice/ServiceMain.c | 4 +- microscript/ILibDuktape_HttpStream.c | 15 +++++ microscript/ILibDuktape_ScriptContainer.c | 80 +---------------------- microstack/ILibParsers.c | 3 + microstack/ILibParsers.h | 10 +-- 7 files changed, 55 insertions(+), 127 deletions(-) diff --git a/meshconsole/main.c b/meshconsole/main.c index 7944b19..7ecee83 100644 --- a/meshconsole/main.c +++ b/meshconsole/main.c @@ -64,33 +64,6 @@ void BreakSink(int s) } #endif -#if defined(WIN32) && defined(MeshLibInterface) -extern void ILibDuktape_ScriptContainer_GetEmbeddedJS_Raw(char *exePath, char **script, int *scriptLen); -typedef void(__stdcall *ExternalDispatch)(void *data); -__declspec(dllexport) ExternalDispatch ExternalDispatchSink = NULL; -__declspec(dllexport) int mainEx(int argc, char **argv, ExternalDispatch ptr) -{ - int retCode = 0; - char *js = NULL; - int jsLen = 0; - - ExternalDispatchSink = ptr; - ILibDuktape_ScriptContainer_GetEmbeddedJS_Raw(argv[0], &js, &jsLen); - - agentHost = MeshAgent_Create(0); - agentHost->exePath = (char*)ILibMemory_AllocateA(strnlen_s(argv[0], _MAX_PATH) + 1); - memcpy_s(agentHost->exePath, ILibMemory_AllocateA_Size(agentHost->exePath), argv[0], ILibMemory_AllocateA_Size(agentHost->exePath) - 1); - - agentHost->meshCoreCtx_embeddedScript = js; - agentHost->meshCoreCtx_embeddedScriptLen = jsLen; - while (MeshAgent_Start(agentHost, argc, argv) != 0); - retCode = agentHost->exitCode; - MeshAgent_Destroy(agentHost); - agentHost = NULL; - return(retCode); -} -#endif - #if defined(_LINKVM) && defined(__APPLE__) extern void* kvm_server_mainloop(void *parm); extern void senddebug(int val); diff --git a/meshcore/agentcore.c b/meshcore/agentcore.c index a9cd749..d5e4ab8 100644 --- a/meshcore/agentcore.c +++ b/meshcore/agentcore.c @@ -2263,26 +2263,35 @@ int GenerateSHA384FileHash(char *filePath, char *fileHash) // PE Image optHeader = ILibMemory_AllocateA(((unsigned short*)ILibScratchPad)[10]); ignore_result(fread(optHeader, 1, ILibMemory_AllocateA_Size(optHeader), tmpFile)); - switch (((unsigned short*)optHeader)[0]) + if (ILibMemory_AllocateA_Size(optHeader) > 4) { - case 0x10B: - if (((unsigned int*)(optHeader + 128))[0] != 0) + switch (((unsigned short*)optHeader)[0]) { - endIndex = ((unsigned int*)(optHeader + 128))[0]; + case 0x10B: + if (ILibMemory_AllocateA_Size(optHeader) >= 132) + { + if (((unsigned int*)(optHeader + 128))[0] != 0) + { + endIndex = ((unsigned int*)(optHeader + 128))[0]; + } + tableIndex = NTHeaderIndex + 24 + 128; + retVal = 0; + } + break; + case 0x20B: + if (ILibMemory_AllocateA_Size(optHeader) >= 148) + { + if (((unsigned int*)(optHeader + 144))[0] != 0) + { + endIndex = ((unsigned int*)(optHeader + 144))[0]; + } + tableIndex = NTHeaderIndex + 24 + 144; + retVal = 0; + } + break; + default: + break; } - tableIndex = NTHeaderIndex + 24 + 128; - retVal = 0; - break; - case 0x20B: - if (((unsigned int*)(optHeader + 144))[0] != 0) - { - endIndex = ((unsigned int*)(optHeader + 144))[0]; - } - tableIndex = NTHeaderIndex + 24 + 144; - retVal = 0; - break; - default: - break; } } } diff --git a/meshservice/ServiceMain.c b/meshservice/ServiceMain.c index 4645cba..f6b5249 100644 --- a/meshservice/ServiceMain.c +++ b/meshservice/ServiceMain.c @@ -786,7 +786,7 @@ int wmain(int argc, char* wargv[]) { char* data; int len = MeshInfo_GetSystemInformation(&data); - if (len > 0) { printf(data); } + if (len > 0) { printf_s(data); } } else if (argc > 1 && (strcasecmp(argv[1], "-setfirewall") == 0)) { @@ -820,7 +820,7 @@ int wmain(int argc, char* wargv[]) } RegCloseKey(hKey); } - if (strEx != NULL) printf(strEx); else printf("Not defined, start the mesh service to create a nodeid."); + if (strEx != NULL) printf_s(strEx); else printf("Not defined, start the mesh service to create a nodeid."); wmain_free(argv); return 0; } diff --git a/microscript/ILibDuktape_HttpStream.c b/microscript/ILibDuktape_HttpStream.c index 5478ca2..3730a19 100644 --- a/microscript/ILibDuktape_HttpStream.c +++ b/microscript/ILibDuktape_HttpStream.c @@ -2983,6 +2983,21 @@ void ILibDuktape_HttpStream_OnReceive(ILibWebClient_StateObject WebStateObject, if (header->DirectiveLength == 7 && strncasecmp(header->Directive, "CONNECT", 7) == 0) { // Connect + duk_push_string(ctx, "connect"); // [emit][this][request] + ILibDuktape_HttpStream_IncomingMessage_PUSH(ctx, header, data->DS->ParentObject); // [emit][this][request][imsg] + data->bodyStream = ILibDuktape_ReadableStream_InitEx(ctx, ILibDuktape_HttpStream_IncomingMessage_PauseSink, ILibDuktape_HttpStream_IncomingMessage_ResumeSink, ILibDuktape_HttpStream_IncomingMessage_UnshiftBytes, data); + duk_dup(ctx, -3); duk_dup(ctx, -2); // [emit][this][request][imsg][httpstream][imsg] + duk_put_prop_string(ctx, -2, ILibDuktape_HTTPStream2IMSG); duk_pop(ctx); // [emit][this][request][imsg] + + ILibDuktape_HttpStream_ServerResponse_PUSH(ctx, data->DS->writableStream->pipedReadable, header, data->DS->ParentObject); // [emit][this][request][imsg][rsp] + + if (duk_pcall_method(ctx, 3) != 0) { ILibDuktape_Process_UncaughtExceptionEx(ctx, "http.httpStream.onReceive->request(): "); } + duk_pop(ctx); + + if (bodyBuffer != NULL && endPointer > 0) + { + ILibDuktape_readableStream_WriteData(data->bodyStream, bodyBuffer + *beginPointer, endPointer); + } } else { diff --git a/microscript/ILibDuktape_ScriptContainer.c b/microscript/ILibDuktape_ScriptContainer.c index a637583..035803f 100644 --- a/microscript/ILibDuktape_ScriptContainer.c +++ b/microscript/ILibDuktape_ScriptContainer.c @@ -288,79 +288,6 @@ void ILibDuktape_ScriptContainer_Slave_OnBrokenPipe(ILibProcessPipe_Pipe sender) } } - -#if defined(WIN32) && defined(MeshLibInterface) -void ILibDuktape_ScriptContainer_GetEmbeddedJS_Raw(char *exePath, char **script, int *scriptLen) -{ - char *integratedJavaScript = NULL; - int integratedJavaScriptLen = 0; - FILE* tmpFile = NULL; - - _wfopen_s(&tmpFile, ILibUTF8ToWide(exePath, -1), L"rb"); - if (tmpFile != NULL) - { - // Read the PE Headers, to determine where to look for the Embedded JS - char *optHeader = NULL; - fseek(tmpFile, 0, SEEK_SET); - ignore_result(fread(ILibScratchPad, 1, 2, tmpFile)); - if (ntohs(((unsigned int*)ILibScratchPad)[0]) == 19802) // 5A4D - { - fseek(tmpFile, 60, SEEK_SET); - ignore_result(fread(ILibScratchPad, 1, 4, tmpFile)); - fseek(tmpFile, ((unsigned *)ILibScratchPad)[0], SEEK_SET); - ignore_result(fread(ILibScratchPad, 1, 24, tmpFile)); - if (((unsigned int*)ILibScratchPad)[0] == 17744) - { - // PE Image - optHeader = ILibMemory_AllocateA(((unsigned short*)ILibScratchPad)[10]); - ignore_result(fread(optHeader, 1, ILibMemory_AllocateA_Size(optHeader), tmpFile)); - switch (((unsigned short*)optHeader)[0]) - { - case 0x10B: - if (((unsigned int*)(optHeader + 128))[0] != 0) - { - fseek(tmpFile, ((unsigned int*)(optHeader + 128))[0] - 16, SEEK_SET); - } - else - { - fseek(tmpFile, -16, SEEK_END); - } - break; - case 0x20B: - if (((unsigned int*)(optHeader + 144))[0] != 0) - { - fseek(tmpFile, ((unsigned int*)(optHeader + 144))[0] - 16, SEEK_SET); - } - else - { - fseek(tmpFile, -16, SEEK_END); - } - break; - default: - fclose(tmpFile); - return; - } - ignore_result(fread(ILibScratchPad, 1, 16, tmpFile)); - util_hexToBuf(exeJavaScriptGuid, 32, ILibScratchPad2); - if (memcmp(ILibScratchPad, ILibScratchPad2, 16) == 0) - { - // Found an Embedded JS - fseek(tmpFile, -20, SEEK_CUR); - ignore_result(fread((void*)&integratedJavaScriptLen, 1, 4, tmpFile)); - integratedJavaScriptLen = (int)ntohl(integratedJavaScriptLen); - fseek(tmpFile, -4 - integratedJavaScriptLen, SEEK_CUR); - integratedJavaScript = ILibMemory_Allocate(integratedJavaScriptLen + 1, 0, NULL, NULL); - ignore_result(fread(integratedJavaScript, 1, integratedJavaScriptLen, tmpFile)); - integratedJavaScript[integratedJavaScriptLen] = 0; - } - } - } - fclose(tmpFile); - } - *script = integratedJavaScript; - *scriptLen = integratedJavaScriptLen; -} -#endif void ILibDuktape_ScriptContainer_CheckEmbeddedEx(char *exePath, char **script, int *scriptLen) { int i; @@ -433,10 +360,12 @@ void ILibDuktape_ScriptContainer_CheckEmbeddedEx(char *exePath, char **script, i { // PE Image optHeader = ILibMemory_AllocateA(((unsigned short*)ILibScratchPad)[10]); + if (ILibMemory_AllocateA_Size(optHeader) < 4) { fclose(tmpFile); return; } ignore_result(fread(optHeader, 1, ILibMemory_AllocateA_Size(optHeader), tmpFile)); switch (((unsigned short*)optHeader)[0]) { case 0x10B: + if (ILibMemory_AllocateA_Size(optHeader) < 132) { fclose(tmpFile); return; } if (((unsigned int*)(optHeader + 128))[0] != 0) { fseek(tmpFile, ((unsigned int*)(optHeader + 128))[0] - 16, SEEK_SET); @@ -447,6 +376,7 @@ void ILibDuktape_ScriptContainer_CheckEmbeddedEx(char *exePath, char **script, i } break; case 0x20B: + if (ILibMemory_AllocateA_Size(optHeader) < 148) { fclose(tmpFile); return; } if (((unsigned int*)(optHeader + 144))[0] != 0) { fseek(tmpFile, ((unsigned int*)(optHeader + 144))[0] - 16, SEEK_SET); @@ -3698,10 +3628,6 @@ duk_ret_t ILibDuktape_ScriptContainer_Create(duk_context *ctx) } } -#if defined(MeshLibInterface) - if (processIsolation != 0) { return(ILibDuktape_Error(ctx, "Process Isolation is not supported with this runtime")); } -#endif - duk_push_heap_stash(ctx); duk_get_prop_string(ctx, -1, ILibDuktape_ScriptContainer_ExePath); duk_get_prop_string(ctx, -2, ILibDuktape_ScriptContainer_PipeManager); diff --git a/microstack/ILibParsers.c b/microstack/ILibParsers.c index 4e42f2d..be6f3bb 100644 --- a/microstack/ILibParsers.c +++ b/microstack/ILibParsers.c @@ -1130,6 +1130,8 @@ void* ILibMemory_AllocateA_Get(void *buffer, size_t sz) } void* ILibMemory_Allocate(int containerSize, int extraMemorySize, void** allocatedContainer, void **extraMemory) { + if (!((containerSize < (INT32_MAX - extraMemorySize)) && (containerSize + extraMemorySize) < (INT32_MAX - 4))) { ILIBCRITICALEXIT(254); } + char* retVal = (char*)malloc(containerSize + extraMemorySize + (extraMemorySize > 0 ? 4 : 0)); if (retVal == NULL) { ILIBCRITICALEXIT(254); } memset(retVal, 0, containerSize + extraMemorySize + (extraMemorySize > 0 ? 4 : 0)); @@ -10134,6 +10136,7 @@ int ILibResolveEx3(char* hostname, char *service, struct sockaddr_in6* addr6, in { int hostnameLen = (int)strnlen_s(hostname, 4096); char *newHost = _alloca((size_t)hostnameLen); + if (hostnameLen < 2) { return(-1); } memcpy_s(newHost, hostnameLen, hostname + 1, hostnameLen - 2); newHost[hostnameLen - 2] = 0; hostname = newHost; diff --git a/microstack/ILibParsers.h b/microstack/ILibParsers.h index 23fd558..bb9e1c4 100644 --- a/microstack/ILibParsers.h +++ b/microstack/ILibParsers.h @@ -414,20 +414,22 @@ int ILibIsRunningOnChainThread(void* chain); #define ILibMemory_Extra(ptr) (ILibMemory_ExtraSize(ptr)>0?((char*)(ptr) + ILibMemory_Size((ptr)) + sizeof(ILibMemory_Header)):NULL) #define ILibMemory_FromRaw(ptr) ((char*)(ptr) + sizeof(ILibMemory_Header)) + #define ILibMemory_Size_Validate(primaryLen, extraLen) (((size_t)primaryLen<(UINT32_MAX - (size_t)extraLen))&&((size_t)extraLen<(UINT32_MAX-(size_t)primaryLen))&&((size_t)(primaryLen + extraLen)<(UINT32_MAX - sizeof(ILibMemory_Header)))&&(extraLen==0 || ((size_t)(primaryLen+extraLen+sizeof(ILibMemory_Header))<(UINT32_MAX-sizeof(ILibMemory_Header))))) #define ILibMemory_Init_Size(primaryLen, extraLen) (primaryLen + extraLen + sizeof(ILibMemory_Header) + (extraLen>0?sizeof(ILibMemory_Header):0)) void* ILibMemory_Init(void *ptr, size_t primarySize, size_t extraSize, ILibMemory_Types memType); - #define ILibMemory_SmartAllocate(len) ILibMemory_Init(malloc(len+sizeof(ILibMemory_Header)), (int)len, 0, ILibMemory_Types_HEAP) - #define ILibMemory_SmartAllocateEx(primaryLen, extraLen) ILibMemory_Init(malloc(primaryLen + extraLen + sizeof(ILibMemory_Header) + (extraLen>0?sizeof(ILibMemory_Header):0)), (int)primaryLen, (int)extraLen, ILibMemory_Types_HEAP) + #define ILibMemory_SmartAllocate(len) ILibMemory_Init(ILibMemory_Size_Validate(len,0)?malloc(ILibMemory_Init_Size(len, 0)):NULL, (int)len, 0, ILibMemory_Types_HEAP) + #define ILibMemory_SmartAllocateEx(primaryLen, extraLen) ILibMemory_Init(ILibMemory_Size_Validate(primaryLen,extraLen)?malloc(ILibMemory_Init_Size(primaryLen, extraLen)):NULL, (int)primaryLen, (int)extraLen, ILibMemory_Types_HEAP) void* ILibMemory_SmartReAllocate(void *ptr, size_t len); void* ILibMemory_SmartAllocateEx_ResizeExtra(void *ptr, size_t extraSize); void ILibMemory_Free(void *ptr); void* ILibMemory_AllocateTemp(void* chain, size_t sz); + #define ILibMemory_AllocateA_ValidateSize(bufferLen) (bufferLen<(UINT32_MAX-(sizeof(void*) + (2*sizeof(ILibMemory_Header))))) #ifdef WIN32 - #define ILibMemory_AllocateA(bufferLen) ILibMemory_AllocateA_Init(ILibMemory_Init(_alloca(bufferLen + sizeof(void*) + (2*sizeof(ILibMemory_Header))), bufferLen, sizeof(void*), ILibMemory_Types_STACK)) + #define ILibMemory_AllocateA(bufferLen) ILibMemory_AllocateA_Init(ILibMemory_Init(ILibMemory_AllocateA_ValidateSize(bufferLen)?_alloca(bufferLen + sizeof(void*) + (2*sizeof(ILibMemory_Header))):NULL, bufferLen, sizeof(void*), ILibMemory_Types_STACK)) #else - #define ILibMemory_AllocateA(bufferLen) ILibMemory_AllocateA_Init(ILibMemory_Init(alloca(bufferLen + sizeof(void*) + (2*sizeof(ILibMemory_Header))), bufferLen, sizeof(void*), ILibMemory_Types_STACK)) + #define ILibMemory_AllocateA(bufferLen) ILibMemory_AllocateA_Init(ILibMemory_Init(ILibMemory_AllocateA_ValidateSize(bufferLen)?alloca(bufferLen + sizeof(void*) + (2*sizeof(ILibMemory_Header))):NULL, bufferLen, sizeof(void*), ILibMemory_Types_STACK)) #endif #define ILibMemory_AllocateA_Size(buffer) ILibMemory_Size(buffer) #define ILibMemory_AllocateA_Next(buffer) (((void**)buffer)[0])