net: Don't allow resolving of std::string with embedded NUL characters. Add tests.

practicalswift commented at 1:41 pm on December 16, 2019: contributor

Don’t allow resolving of std::string:s with embedded NUL characters.

Avoid using C-style NUL-terminated strings as arguments in the netbase interface

Add tests.

The only place in where C-style NUL-terminated strings are actually needed is here:

0+    if (!ValidAsCString(name)) {
1+        return false;
2+    }
3...
4-    int nErr = getaddrinfo(pszName, nullptr, &aiHint, &aiRes);
5+    int nErr = getaddrinfo(name.c_str(), nullptr, &aiHint, &aiRes);
6     if (nErr)
7         return false;

Interface changes:

 0-bool LookupHost(const char *pszName, std::vector<CNetAddr>& vIP, unsigned int nMaxSolutions, bool fAllowLookup);
 1+bool LookupHost(const std::string& name, std::vector<CNetAddr>& vIP, unsigned int nMaxSolutions, bool fAllowLookup);
 2
 3-bool LookupHost(const char *pszName, CNetAddr& addr, bool fAllowLookup);
 4+bool LookupHost(const std::string& name, CNetAddr& addr, bool fAllowLookup);
 5
 6-bool Lookup(const char *pszName, CService& addr, int portDefault, bool fAllowLookup);
 7+bool Lookup(const std::string& name, CService& addr, int portDefault, bool fAllowLookup);
 8
 9-bool Lookup(const char *pszName, std::vector<CService>& vAddr, int portDefault, bool fAllowLookup, unsigned int nMaxSolutions);
10+bool Lookup(const std::string& name, std::vector<CService>& vAddr, int portDefault, bool fAllowLookup, unsigned int nMaxSolutions);
11
12-bool LookupSubNet(const char *pszName, CSubNet& subnet);
13+bool LookupSubNet(const std::string& strSubnet, CSubNet& subnet);
14
15-CService LookupNumeric(const char *pszName, int portDefault = 0);
16+CService LookupNumeric(const std::string& name, int portDefault = 0);
17
18-bool ConnectThroughProxy(const proxyType &proxy, const std::string& strDest, int port, const SOCKET& hSocketRet, int nTimeout, bool *outProxyConnectionFailed);
19+bool ConnectThroughProxy(const proxyType &proxy, const std::string& strDest, int port, const SOCKET& hSocketRet, int nTimeout, bool& outProxyConnectionFailed);

It should be noted that the ConnectThroughProxy change (from bool *outProxyConnectionFailed to bool& outProxyConnectionFailed) has nothing to do with NUL handling but I thought it was worth doing when touching this file :)

fanquake added the label P2P on Dec 16, 2019

DrahtBot commented at 3:31 pm on December 16, 2019: member

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

#17602 (net: Limit # of IPs learned from a DNS seed by family by dongcarl)
#17356 (RPC: Internal named params by luke-jr)
#17160 (refactor: net: subnet lookup: use single-result LookupHost() by theStack)
#16548 (Make the global flag fDiscover an instance variable of CConnman by mmachicao)
#16224 (gui: Bilingual GUI error messages by hebasto)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

elichai commented at 5:14 pm on December 16, 2019: contributor

Concept ACK. It’s best to not use C style Strings whenever it’s possible, and if and when it’s required we should add sanity checks.

instagibbs commented at 7:03 pm on December 16, 2019: member

utACK a32d3ccefe008f098f435a0b01284d5711ee8768

I always learn something new about implicit conversion in C++

practicalswift renamed this:
~~net: Don't allow resolving of std::string:s with embedded NUL characters. Add tests.~~
net: Don't allow resolving of std::string with embedded NUL characters. Add tests.
on Dec 17, 2019

laanwj commented at 8:50 am on December 17, 2019: member

Concept ACK Also gets rid of a lot of the remaining (unnecessary) c_str(). This is something I’ve been wanting to do for a long time but never dared.

in src/test/netbase_tests.cpp:409 in a32d3ccefe outdated

398@@ -400,4 +399,16 @@ BOOST_AUTO_TEST_CASE(netpermissions_test)
399     BOOST_CHECK(std::find(strings.begin(), strings.end(), "mempool") != strings.end());
400 }
401 
402+BOOST_AUTO_TEST_CASE(netbase_dont_resolve_strings_with_embedded_nul_characters)
403+{
404+    CNetAddr addr;
405+    BOOST_CHECK(LookupHost(std::string("127.0.0.1", 9), addr, false));
406+    BOOST_CHECK(!LookupHost(std::string("127.0.0.1\0example.com", 21), addr, false));

promag commented at 12:32 pm on December 22, 2019:

Could also test with embedded nul char at end.

practicalswift commented at 3:57 pm on December 29, 2019:

Good idea! Added such a case. Please re-review :)

promag commented at 12:34 pm on December 22, 2019: member

Code review ACK a32d3ccefe008f098f435a0b01284d5711ee8768.

practicalswift force-pushed on Dec 29, 2019

fanquake commented at 4:22 pm on December 29, 2019: member

cc @EthanHeilman

practicalswift force-pushed on Dec 29, 2019

in src/test/netbase_tests.cpp:410 in 10ef76ffc7 outdated

403+{
404+    CNetAddr addr;
405+    BOOST_CHECK(LookupHost(std::string("127.0.0.1", 9), addr, false));
406+    BOOST_CHECK(!LookupHost(std::string("127.0.0.1\0", 10), addr, false));
407+    BOOST_CHECK(!LookupHost(std::string("127.0.0.1\0example.com", 21), addr, false));
408+    BOOST_CHECK(!LookupHost(std::string("127.0.0.1\0example.com\0", 22), addr, false));

promag commented at 10:41 pm on December 29, 2019:

nit, could drop the middle nul.

EthanHeilman commented at 7:39 pm on January 2, 2020:

To me the middle \0 seems like a useful case to check. Whats the benefit in dropping it?

promag commented at 7:40 pm on January 2, 2020:

already checked above.

EthanHeilman commented at 8:00 pm on January 2, 2020:

You mean that the test for BOOST_CHECK(!LookupHost(std::string("127.0.0.1\0", 10), addr, false)); is the same as the test for BOOST_CHECK(!LookupHost(std::string("127.0.0.1\0example.com", 21), addr, false));?

promag commented at 10:41 pm on December 29, 2019: member

ACK 10ef76ffc7ff7649786d441faabd66c1593427d5.

EthanHeilman commented at 7:37 pm on January 2, 2020: contributor

ACK clear code base improvement

net: Avoid using C-style NUL-terminated strings as arguments in the netbase interface 9574de86ad

tests: Add tests to make sure lookup methods fail on std::string parameters with embedded NUL characters fefb9165f2

tests: Avoid using C-style NUL-terminated strings as arguments 7a046cdc14

practicalswift force-pushed on Jan 8, 2020

practicalswift commented at 12:37 pm on January 8, 2020: contributor

Rebased to get rid of non-related Travis macOS failure! @promag @EthanHeilman Please re-review :)

in src/net.cpp:436 in 7a046cdc14

431@@ -432,7 +432,8 @@ CNode* CConnman::ConnectNode(CAddress addrConnect, const char *pszDest, bool fCo
432         std::string host;
433         int port = default_port;
434         SplitHostPort(std::string(pszDest), port, host);
435-        connected = ConnectThroughProxy(proxy, host, port, hSocket, nConnectTimeout, nullptr);
436+        bool proxyConnectionFailed;
437+        connected = ConnectThroughProxy(proxy, host, port, hSocket, nConnectTimeout, proxyConnectionFailed);

EthanHeilman commented at 7:39 pm on January 8, 2020:

It doesn’t especially relevant to this PR so this should block this PR but I noticed that proxyConnectionFailed is not checked in this call Does it make sense to create a ConnectThroughProxy method without the outProxyConnectionFailed parameter or should this call check proxyConnectionFailed like the prior call does?

practicalswift commented at 10:19 pm on January 8, 2020:

Good point! Let’s we tackle that in a separate follow-up PR to keep this one focused :)

EthanHeilman commented at 10:20 pm on January 8, 2020:

Agreed, I just wanted to make a note here so I didn’t forget.

EthanHeilman commented at 8:01 pm on January 8, 2020: contributor

ACK 7a046cdc1423963bdcbcf9bb98560af61fa90b37 I did not run any tests. I read through the code carefully, looking up behavior I didn’t understand. I don’t see any reasons not to merge.

EthanHeilman approved

fanquake requested review from promag on Jan 14, 2020

practicalswift requested review from jamesob on Jan 14, 2020

practicalswift requested review from laanwj on Jan 21, 2020

laanwj commented at 7:20 pm on January 22, 2020: member

ACK 7a046cdc1423963bdcbcf9bb98560af61fa90b37

It should be noted that the ConnectThroughProxy change (from bool *outProxyConnectionFailed to bool& outProxyConnectionFailed) has nothing to do with NUL handling but I thought it was worth doing when touching this file :)

FWIW I think such unrelated changes should generally be avoided (especially as part of the same commit). But I don’t mind it in this case, personally, and this has had enough review.

laanwj referenced this in commit 1ae46dce60 on Jan 22, 2020

laanwj merged this on Jan 22, 2020

laanwj closed this on Jan 22, 2020

sidhujag referenced this in commit fc9bd3b507 on Jan 24, 2020

sidhujag referenced this in commit d7c10554c8 on Nov 10, 2020

Fabcien referenced this in commit 4927fc4b11 on Dec 17, 2020

Fabcien referenced this in commit fe17052580 on Dec 17, 2020

Fabcien referenced this in commit a36894a1f1 on Dec 17, 2020

practicalswift deleted the branch on Apr 10, 2021

kittywhiskers referenced this in commit 466b153103 on May 22, 2021

random-zebra referenced this in commit b4751e10ce on Aug 11, 2021

PastaPastaPasta referenced this in commit bb5c622d20 on Apr 7, 2022

Munkybooty referenced this in commit 4692725277 on Jun 25, 2022

Munkybooty referenced this in commit 9c72faf959 on Aug 3, 2022

knst referenced this in commit c6eeee341d on Aug 6, 2022

DrahtBot locked this on Aug 16, 2022

net: Don’t allow resolving of std::string with embedded NUL characters. Add tests. #17754

Conflicts