From 6dff383817ba490fff93aa1a7b32c8ad4476feec Mon Sep 17 00:00:00 2001
From: Roman Tsisyk <roman@tsisyk.com>
Date: Thu, 15 Dec 2016 20:18:45 +0300
Subject: [PATCH] Fix out-of-bounds access in xrow_header_decode() and
 request_decode()

Fixes TALOS-2016-0255
Fixes CVE-2016-9037
Fixes #1992
---
 src/box/request.cc | 10 +++++-----
 src/box/xrow.cc    |  5 +++--
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/box/request.cc b/src/box/request.cc
index 97c8315124..7067bbc001 100644
--- a/src/box/request.cc
+++ b/src/box/request.cc
@@ -70,13 +70,13 @@ request_decode(struct request *request, const char *data, uint32_t len)
 			mp_check(&data, end);
 			continue;
 		}
-		unsigned char key = mp_decode_uint(&data);
-		key_map &= ~iproto_key_bit(key);
+		uint64_t key = mp_decode_uint(&data);
 		const char *value = data;
-		if (mp_check(&data, end))
-			goto error;
-		if (iproto_key_type[key] != mp_typeof(*value))
+		if (mp_check(&data, end) != 0 ||
+		    key >= IPROTO_KEY_MAX ||
+		    iproto_key_type[key] != mp_typeof(*value))
 			goto error;
+		key_map &= ~iproto_key_bit(key);
 		switch (key) {
 		case IPROTO_SPACE_ID:
 			request->space_id = mp_decode_uint(&value);
diff --git a/src/box/xrow.cc b/src/box/xrow.cc
index f8d42024d6..a66b6f3a13 100644
--- a/src/box/xrow.cc
+++ b/src/box/xrow.cc
@@ -60,8 +60,9 @@ xrow_header_decode(struct xrow_header *header, const char **pos,
 	for (uint32_t i = 0; i < size; i++) {
 		if (mp_typeof(**pos) != MP_UINT)
 			goto error;
-		unsigned char key = mp_decode_uint(pos);
-		if (iproto_key_type[key] != mp_typeof(**pos))
+		uint64_t key = mp_decode_uint(pos);
+		if (key >= IPROTO_KEY_MAX ||
+		    iproto_key_type[key] != mp_typeof(**pos))
 			goto error;
 		switch (key) {
 		case IPROTO_REQUEST_TYPE:
-- 
GitLab