-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversion from prost_types::Timestamp
to SystemTime
may panic
#438
Comments
Thanks for the detailed report, @argv-minus-one. I definitely agree that it's an issue that the WRT the fix, I think I agree with the approach in #439, although I'm curious if we can keep the |
I don't believe so. Trait implementations cannot be deprecated. |
In prost-types 0.7.0, the conversion from
Timestamp
toSystemTime
uses the+
and-
operators onUNIX_EPOCH
. This can overflow and panic, creating a denial-of-service vulnerability if the inputTimestamp
is untrusted.Also, the conversion involves calling
Timestamp::normalize
, which uses the+
and-
operators. This may panic or wrap around (depending on compiler settings), also creating a denial-of-service vulnerability if the application is compiled to panic on overflow.Proof of concept
Fixing
Timestamp::normalize
should probably usesaturating_{add,sub}
. This can silently change the timestamp by up to about 3 seconds if itsnanos
field is out of range, but such a timestamp is arguably invalid anyway, so that's probably okay.SystemTime
does not havesaturating_{add,sub}
methods, norMIN
andMAX
constants. Therefore, unlikeTimestamp::normalize
, there is no way to silently clamp the input timestamp to the valid range ofSystemTime
s. That's probably a bad idea anyway, sinceSystemTime
could be based on a 32-bittime_t
or WindowsFILETIME
, in which case clamping it could change the timestamp by much more than a mere few seconds. I recommend making the conversion fallible again and usingSystemTime::checked_{add,sub}
.The text was updated successfully, but these errors were encountered: