Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(848)

Side by Side Diff: webrtc/p2p/base/stun_unittest.cc

Issue 2071873002: Fix buffer overflow in HMAC validation of STUN messages. (Closed) Base URL: https://chromium.googlesource.com/external/webrtc.git@master
Patch Set: Allow length-0 extensions. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « webrtc/p2p/base/stun.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright 2004 The WebRTC Project Authors. All rights reserved. 2 * Copyright 2004 The WebRTC Project Authors. All rights reserved.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license 4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source 5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found 6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may 7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree. 8 * be found in the AUTHORS file in the root of the source tree.
9 */ 9 */
10 10
(...skipping 225 matching lines...) Expand 10 before | Expand all | Expand 10 after
236 0x00, 0x01, 0x00, 0x03, // length of 3 236 0x00, 0x01, 0x00, 0x03, // length of 3
237 0x21, 0x12, 0xA4, 0x42, // magic cookie 237 0x21, 0x12, 0xA4, 0x42, // magic cookie
238 '0', '1', '2', '3', // transaction id 238 '0', '1', '2', '3', // transaction id
239 '4', '5', '6', '7', 239 '4', '5', '6', '7',
240 '8', '9', 'a', 'b', 240 '8', '9', 'a', 'b',
241 0x00, 0x20, 0x00, 0x08, // xor mapped address 241 0x00, 0x20, 0x00, 0x08, // xor mapped address
242 0x00, 0x01, 0x21, 0x1F, 242 0x00, 0x01, 0x21, 0x1F,
243 0x21, 0x12, 0xA4, 0x53, 243 0x21, 0x12, 0xA4, 0x53,
244 }; 244 };
245 245
246 static const unsigned char kStunMessageWithBadHmacAtEnd[] = {
247 0x00, 0x01, 0x00, 0x14, // message length exactly 20
248 0x21, 0x12, 0xA4, 0x42, // magic cookie
249 '0', '1', '2', '3', // transaction ID
250 '4', '5', '6', '7',
251 '8', '9', 'a', 'b',
252 0x00, 0x08, 0x00, 0x14, // type=STUN_ATTR_MESSAGE_INTEGRITY, length=20
253 '0', '0', '0', '0', // We lied, there are only 16 bytes of HMAC.
254 '0', '0', '0', '0',
255 '0', '0', '0', '0',
256 '0', '0', '0', '0',
257 };
258
246 // RTCP packet, for testing we correctly ignore non stun packet types. 259 // RTCP packet, for testing we correctly ignore non stun packet types.
247 // V=2, P=false, RC=0, Type=200, Len=6, Sender-SSRC=85, etc 260 // V=2, P=false, RC=0, Type=200, Len=6, Sender-SSRC=85, etc
248 static const unsigned char kRtcpPacket[] = { 261 static const unsigned char kRtcpPacket[] = {
249 0x80, 0xc8, 0x00, 0x06, 0x00, 0x00, 0x00, 0x55, 262 0x80, 0xc8, 0x00, 0x06, 0x00, 0x00, 0x00, 0x55,
250 0xce, 0xa5, 0x18, 0x3a, 0x39, 0xcc, 0x7d, 0x09, 263 0xce, 0xa5, 0x18, 0x3a, 0x39, 0xcc, 0x7d, 0x09,
251 0x23, 0xed, 0x19, 0x07, 0x00, 0x00, 0x01, 0x56, 264 0x23, 0xed, 0x19, 0x07, 0x00, 0x00, 0x01, 0x56,
252 0x00, 0x03, 0x73, 0x50, 265 0x00, 0x03, 0x73, 0x50,
253 }; 266 };
254 267
255 // RFC5769 Test Vectors 268 // RFC5769 Test Vectors
(...skipping 931 matching lines...) Expand 10 before | Expand all | Expand 10 after
1187 kRfc5769SampleMsgPassword)); 1200 kRfc5769SampleMsgPassword));
1188 EXPECT_FALSE(StunMessage::ValidateMessageIntegrity( 1201 EXPECT_FALSE(StunMessage::ValidateMessageIntegrity(
1189 reinterpret_cast<const char*>(kStunMessageWithExcessLength), 1202 reinterpret_cast<const char*>(kStunMessageWithExcessLength),
1190 sizeof(kStunMessageWithExcessLength), 1203 sizeof(kStunMessageWithExcessLength),
1191 kRfc5769SampleMsgPassword)); 1204 kRfc5769SampleMsgPassword));
1192 EXPECT_FALSE(StunMessage::ValidateMessageIntegrity( 1205 EXPECT_FALSE(StunMessage::ValidateMessageIntegrity(
1193 reinterpret_cast<const char*>(kStunMessageWithSmallLength), 1206 reinterpret_cast<const char*>(kStunMessageWithSmallLength),
1194 sizeof(kStunMessageWithSmallLength), 1207 sizeof(kStunMessageWithSmallLength),
1195 kRfc5769SampleMsgPassword)); 1208 kRfc5769SampleMsgPassword));
1196 1209
1210 // Again, but with the lengths matching what is claimed in the headers.
1211 EXPECT_FALSE(StunMessage::ValidateMessageIntegrity(
1212 reinterpret_cast<const char*>(kStunMessageWithZeroLength),
1213 kStunHeaderSize + rtc::GetBE16(&kStunMessageWithZeroLength[2]),
1214 kRfc5769SampleMsgPassword));
1215 EXPECT_FALSE(StunMessage::ValidateMessageIntegrity(
1216 reinterpret_cast<const char*>(kStunMessageWithExcessLength),
1217 kStunHeaderSize + rtc::GetBE16(&kStunMessageWithExcessLength[2]),
1218 kRfc5769SampleMsgPassword));
1219 EXPECT_FALSE(StunMessage::ValidateMessageIntegrity(
1220 reinterpret_cast<const char*>(kStunMessageWithSmallLength),
1221 kStunHeaderSize + rtc::GetBE16(&kStunMessageWithSmallLength[2]),
1222 kRfc5769SampleMsgPassword));
1223
1224 // Check that a too-short HMAC doesn't cause buffer overflow.
1225 EXPECT_FALSE(StunMessage::ValidateMessageIntegrity(
1226 reinterpret_cast<const char*>(kStunMessageWithBadHmacAtEnd),
1227 sizeof(kStunMessageWithBadHmacAtEnd),
1228 kRfc5769SampleMsgPassword));
1229
1197 // Test that munging a single bit anywhere in the message causes the 1230 // Test that munging a single bit anywhere in the message causes the
1198 // message-integrity check to fail, unless it is after the M-I attribute. 1231 // message-integrity check to fail, unless it is after the M-I attribute.
1199 char buf[sizeof(kRfc5769SampleRequest)]; 1232 char buf[sizeof(kRfc5769SampleRequest)];
1200 memcpy(buf, kRfc5769SampleRequest, sizeof(kRfc5769SampleRequest)); 1233 memcpy(buf, kRfc5769SampleRequest, sizeof(kRfc5769SampleRequest));
1201 for (size_t i = 0; i < sizeof(buf); ++i) { 1234 for (size_t i = 0; i < sizeof(buf); ++i) {
1202 buf[i] ^= 0x01; 1235 buf[i] ^= 0x01;
1203 if (i > 0) 1236 if (i > 0)
1204 buf[i - 1] ^= 0x01; 1237 buf[i - 1] ^= 0x01;
1205 EXPECT_EQ(i >= sizeof(buf) - 8, StunMessage::ValidateMessageIntegrity( 1238 EXPECT_EQ(i >= sizeof(buf) - 8, StunMessage::ValidateMessageIntegrity(
1206 buf, sizeof(buf), kRfc5769SampleMsgPassword)); 1239 buf, sizeof(buf), kRfc5769SampleMsgPassword));
(...skipping 238 matching lines...) Expand 10 before | Expand all | Expand 10 after
1445 EXPECT_TRUE(msg2.Write(&out2)); 1478 EXPECT_TRUE(msg2.Write(&out2));
1446 EXPECT_EQ(size, out2.Length()); 1479 EXPECT_EQ(size, out2.Length());
1447 size_t len2 = out2.Length(); 1480 size_t len2 = out2.Length();
1448 rtc::ByteBufferReader read_buf2(out2); 1481 rtc::ByteBufferReader read_buf2(out2);
1449 std::string outstring2; 1482 std::string outstring2;
1450 read_buf2.ReadString(&outstring2, len2); 1483 read_buf2.ReadString(&outstring2, len2);
1451 EXPECT_EQ(0, memcmp(outstring2.c_str(), input, len2)); 1484 EXPECT_EQ(0, memcmp(outstring2.c_str(), input, len2));
1452 } 1485 }
1453 1486
1454 } // namespace cricket 1487 } // namespace cricket
OLDNEW
« no previous file with comments | « webrtc/p2p/base/stun.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698