From fab54db9f1d0e634f4a697480dbb87b87940dc5c Mon Sep 17 00:00:00 2001 From: MarcoFalke <*~=`'#}+{/-|&$^_@721217.xyz> Date: Fri, 12 Jul 2024 17:48:40 +0200 Subject: [PATCH 1/2] rest: Reject negative outpoint index in getutxos parsing --- src/rest.cpp | 7 ++++--- test/functional/interface_rest.py | 5 ++++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/rest.cpp b/src/rest.cpp index 4abbc4d2ca..185508d2c9 100644 --- a/src/rest.cpp +++ b/src/rest.cpp @@ -788,14 +788,15 @@ static bool rest_getutxos(const std::any& context, HTTPRequest* req, const std:: for (size_t i = (fCheckMemPool) ? 1 : 0; i < uriParts.size(); i++) { - int32_t nOutput; std::string strTxid = uriParts[i].substr(0, uriParts[i].find('-')); std::string strOutput = uriParts[i].substr(uriParts[i].find('-')+1); + auto output{ToIntegral(strOutput)}; - if (!ParseInt32(strOutput, &nOutput) || !IsHex(strTxid)) + if (!output || !IsHex(strTxid)) { return RESTERR(req, HTTP_BAD_REQUEST, "Parse error"); + } - vOutPoints.emplace_back(TxidFromString(strTxid), (uint32_t)nOutput); + vOutPoints.emplace_back(TxidFromString(strTxid), *output); } if (vOutPoints.size() > 0) diff --git a/test/functional/interface_rest.py b/test/functional/interface_rest.py index ae8d6b226d..aa201cb85b 100755 --- a/test/functional/interface_rest.py +++ b/test/functional/interface_rest.py @@ -201,10 +201,13 @@ class RESTTest (BitcoinTestFramework): json_obj = self.test_rest_request(f"/getutxos/checkmempool/{spending[0]}-{spending[1]}") assert_equal(len(json_obj['utxos']), 1) - # Do some invalid requests + self.log.info("Check some invalid requests") self.test_rest_request("/getutxos", http_method='POST', req_type=ReqType.JSON, body='{"checkmempool', status=400, ret_type=RetType.OBJ) self.test_rest_request("/getutxos", http_method='POST', req_type=ReqType.BIN, body='{"checkmempool', status=400, ret_type=RetType.OBJ) self.test_rest_request("/getutxos/checkmempool", http_method='POST', req_type=ReqType.JSON, status=400, ret_type=RetType.OBJ) + self.test_rest_request(f"/getutxos/{spending[0]}_+1", ret_type=RetType.OBJ, status=400) + self.test_rest_request(f"/getutxos/{spending[0]}-+1", ret_type=RetType.OBJ, status=400) + self.test_rest_request(f"/getutxos/{spending[0]}--1", ret_type=RetType.OBJ, status=400) # Test limits long_uri = '/'.join([f"{txid}-{n_}" for n_ in range(20)]) From fac932bf93d9bd8cb7bef93f04ecf48ea2ccf1d1 Mon Sep 17 00:00:00 2001 From: MarcoFalke <*~=`'#}+{/-|&$^_@721217.xyz> Date: Wed, 17 Jul 2024 12:17:43 +0200 Subject: [PATCH 2/2] refactor: Use util::Split to avoid a harmless unsigned-integer-overflow The previous commit added a test which would fail the unsigned-integer-overflow sanitizer. The warning is harmless and can be triggered on any commit, since the code was introduced. For reference, the warning would happen when the separator `-` was not present. For example: GET /rest/getutxos/6a297bfa5cb8dd976ab0207a767d6cbfaa5e876f30081127ec8674c8c52b16c0_+1.json would result in: rest.cpp:792:77: runtime error: unsigned integer overflow: 18446744073709551615 + 1 cannot be represented in type 'size_type' (aka 'unsigned long') #0 0x55ad42c16931 in rest_getutxos(std::any const&, HTTPRequest*, std::__cxx11::basic_string, std::allocator> const&) src/rest.cpp:792:77 #1 0x55ad4319e3c0 in std::function, std::allocator> const&)>::operator()(HTTPRequest*, std::__cxx11::basic_string, std::allocator> const&) const /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_function.h:591:9 #2 0x55ad4319e3c0 in HTTPWorkItem::operator()() src/httpserver.cpp:59:9 #3 0x55ad431a3eea in WorkQueue::Run() src/httpserver.cpp:114:13 #4 0x55ad4318f961 in HTTPWorkQueueRun(WorkQueue*, int) src/httpserver.cpp:403:12 #5 0x7f078ebcbbb3 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xeabb3) (BuildId: 40b9b0d17fdeebfb57331304da2b7f85e1396ef2) #6 0x55ad4277e01c in asan_thread_start(void*) asan_interceptors.cpp.o #7 0x7f078e840a93 (/lib/x86_64-linux-gnu/libc.so.6+0x9ca93) (BuildId: 08134323d00289185684a4cd177d202f39c2a5f3) #8 0x7f078e8cdc3b (/lib/x86_64-linux-gnu/libc.so.6+0x129c3b) (BuildId: 08134323d00289185684a4cd177d202f39c2a5f3) SUMMARY: UndefinedBehaviorSanitizer: unsigned-integer-overflow rest.cpp:792:77 --- src/rest.cpp | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/rest.cpp b/src/rest.cpp index 185508d2c9..3cf6ad343c 100644 --- a/src/rest.cpp +++ b/src/rest.cpp @@ -788,15 +788,17 @@ static bool rest_getutxos(const std::any& context, HTTPRequest* req, const std:: for (size_t i = (fCheckMemPool) ? 1 : 0; i < uriParts.size(); i++) { - std::string strTxid = uriParts[i].substr(0, uriParts[i].find('-')); - std::string strOutput = uriParts[i].substr(uriParts[i].find('-')+1); - auto output{ToIntegral(strOutput)}; + const auto txid_out{util::Split(uriParts[i], '-')}; + if (txid_out.size() != 2) { + return RESTERR(req, HTTP_BAD_REQUEST, "Parse error"); + } + auto output{ToIntegral(txid_out.at(1))}; - if (!output || !IsHex(strTxid)) { + if (!output || !IsHex(txid_out.at(0))) { return RESTERR(req, HTTP_BAD_REQUEST, "Parse error"); } - vOutPoints.emplace_back(TxidFromString(strTxid), *output); + vOutPoints.emplace_back(TxidFromString(txid_out.at(0)), *output); } if (vOutPoints.size() > 0)