[c-lightning] Security issue in c-lightning
ZmnSCPxj
ZmnSCPxj at protonmail.com
Tue Jun 9 02:25:37 AEST 2020
I attached a simple program to help investigate this issue.
Compile with jsmn.c, then use:
$ ./a.out '{""""}'
Here are some sample outputs:
$ ./a.out '{"xxx": 2. ""}'
[0]
type = JSMN_OBJECT
start = 0
end = 17
size = 1
[1]
type = JSMN_STRING
start = 2
end = 5
size = 2
[2]
type = JSMN_PRIMITIVE
start = 8
end = 10
size = 0
[3]
type = JSMN_STRING
start = 15
end = 15
size = 0
$ ./a.out '{"xxx": 2,""}'
[0]
type = JSMN_OBJECT
start = 0
end = 13
size = 2
[1]
type = JSMN_STRING
start = 2
end = 5
size = 1
[2]
type = JSMN_PRIMITIVE
start = 8
end = 9
size = 0
[3]
type = JSMN_STRING
start = 11
end = 11
size = 0
$ ./a.out '{"x""y""z"}'
[0]
type = JSMN_OBJECT
start = 0
end = 11
size = 3
[1]
type = JSMN_STRING
start = 2
end = 3
size = 0
[2]
type = JSMN_STRING
start = 5
end = 6
size = 0
[3]
type = JSMN_STRING
start = 8
end = 9
size = 0
I am now horribly confused what "size" is supposed to mean in jsmn at this point.
jsmn also has relatively minimal documentation about what "size" is....
Can we assume that every valid key in a valid object is a string key and has a "size" of 1?
I would suggest using some kind of filter wrapper around `json_parse_input` to protect against such strange behavior from jsmn.
There are only two callers to `jsmn_parse` in our production non-test code.
One is the `json_parse_input` wrapper.
The other is inside `lightning-cli`; due to its expected use, we do not expect such issues to arise with `lightning-cli` (though it might do best for `lightning-cli` to switch to using `json_parse_input`, this is lower priority).
Regards,
ZmnSCPxj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: main.c
Type: text/x-csrc
Size: 1233 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/c-lightning/attachments/20200608/d3611452/attachment.c>
More information about the c-lightning
mailing list