Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add protection code to prevent etcd from panic when the client api version is not valid UTF-8 string #13560

Merged
merged 1 commit into from
Jan 17, 2022
Merged

Add protection code to prevent etcd from panic when the client api version is not valid UTF-8 string #13560

merged 1 commit into from
Jan 17, 2022

Conversation

ahrtr
Copy link
Member

@ahrtr ahrtr commented Dec 26, 2021
edited
Loading

Fix issues/13553.

If applications use clientv3, then this issue will never happen.

But If the client application sends data with invalid client-api-version directly to etcdserver via tcp connection, then the etcd server may be panic. Accordingly there is a security concern that the malicious program may take down the etcd server. So the PR is to fix the security concern.

@AdamKorcz
Copy link
Contributor

This fixes OSS-fuzz issue 42947

@ahrtr
Copy link
Member Author

ahrtr commented Dec 30, 2021

This fixes OSS-fuzz issue 42947

@AdamKorcz Could you please provide a link to the issue 42947?

@AdamKorcz
Copy link
Contributor

@AdamKorcz Could you please provide a link to the issue 42947?

https://oss-fuzz.com/testcase-detail/5815940963500032

@ahrtr
Copy link
Member Author

ahrtr commented Dec 31, 2021

@AdamKorcz Could you please provide a link to the issue 42947?

https://oss-fuzz.com/testcase-detail/5815940963500032

Thanks. I got a response of "Access Denied". It seems that only the etcd maintainers have the access.

@ahrtr ahrtr force-pushed the protect_invalid_client_api_version branch from 0902569 to 02debc4 Compare January 4, 2022 06:17
@ahrtr
Copy link
Member Author

ahrtr commented Jan 4, 2022

Just rebased the PR.

ptabor
ptabor approved these changes Jan 12, 2022
View reviewed changes
Copy link
Contributor

@ptabor ptabor left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.

I think we had better adding explict test-cases for such found violations.

@ahrtr ahrtr mentioned this pull request Jan 13, 2022
Closed
@ahrtr
Copy link
Member Author

ahrtr commented Jan 13, 2022
edited
Loading

Thank you.

I think we had better adding explict test-cases for such found violations.

Thanks for the comment. Just raised a separate ticket issues/13592 to add the case.

@ahrtr ahrtr force-pushed the protect_invalid_client_api_version branch from 02debc4 to f8aafea Compare January 16, 2022 22:21
@ahrtr
Copy link
Member Author

ahrtr commented Jan 16, 2022

Just rebased this PR and added an item to CHANGELOG-3.6

@serathius serathius added this to the etcd-v3.6 milestone Jan 17, 2022
@ptabor ptabor merged commit 9451a41 into etcd-io:main Jan 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ptabor ptabor ptabor approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
etcd-v3.6
Development

Successfully merging this pull request may close these issues.

a client can panic etcd by passing invalid utf-8 in the client-api-version header
4 participants
@ahrtr @AdamKorcz @ptabor @serathius