From d1edbf1f0b86075d41fecc52c750addd70376665 Mon Sep 17 00:00:00 2001 From: Dave Collins Date: Thu, 24 Oct 2013 23:36:15 -0500 Subject: [PATCH] Add tests to exercise intential malicious overflow. This commit adds several tests which intentionally attempt to feed malicious data to the various deserialize functions. --- msgblock_test.go | 68 +++++++++++++++++++++++++++++++++ msgtx_test.go | 96 +++++++++++++++++++++++++++++++++++++++++++++++ test_coverage.txt | 66 ++++++++++++++++---------------- 3 files changed, 197 insertions(+), 33 deletions(-) diff --git a/msgblock_test.go b/msgblock_test.go index 16184533..3104de8d 100644 --- a/msgblock_test.go +++ b/msgblock_test.go @@ -381,6 +381,74 @@ func TestBlockSerializeErrors(t *testing.T) { } } +// TestBlockOverflowErrors performs tests to ensure deserializing blocks which +// are intentionally crafted to use large values for the number of transactions +// are handled properly. This could otherwise potentially be used as an attack +// vector. +func TestBlockOverflowErrors(t *testing.T) { + // Use protocol version 70001 specifically here instead of the latest + // protocol version because the test data is using bytes encoded with + // that version. + pver := uint32(70001) + + tests := []struct { + buf []byte // Wire encoding + pver uint32 // Protocol version for wire encoding + err error // Expected error + }{ + // Block that claims to have ~uint64(0) transactions. + { + []byte{ + 0x01, 0x00, 0x00, 0x00, // Version 1 + 0x6f, 0xe2, 0x8c, 0x0a, 0xb6, 0xf1, 0xb3, 0x72, + 0xc1, 0xa6, 0xa2, 0x46, 0xae, 0x63, 0xf7, 0x4f, + 0x93, 0x1e, 0x83, 0x65, 0xe1, 0x5a, 0x08, 0x9c, + 0x68, 0xd6, 0x19, 0x00, 0x00, 0x00, 0x00, 0x00, // PrevBlock + 0x98, 0x20, 0x51, 0xfd, 0x1e, 0x4b, 0xa7, 0x44, + 0xbb, 0xbe, 0x68, 0x0e, 0x1f, 0xee, 0x14, 0x67, + 0x7b, 0xa1, 0xa3, 0xc3, 0x54, 0x0b, 0xf7, 0xb1, + 0xcd, 0xb6, 0x06, 0xe8, 0x57, 0x23, 0x3e, 0x0e, // MerkleRoot + 0x61, 0xbc, 0x66, 0x49, // Timestamp + 0xff, 0xff, 0x00, 0x1d, // Bits + 0x01, 0xe3, 0x62, 0x99, // Nonce + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, // TxnCount + }, pver, &btcwire.MessageError{}, + }, + } + + t.Logf("Running %d tests", len(tests)) + for i, test := range tests { + // Decode from wire format. + var msg btcwire.MsgBlock + r := bytes.NewBuffer(test.buf) + err := msg.BtcDecode(r, test.pver) + if reflect.TypeOf(err) != reflect.TypeOf(test.err) { + t.Errorf("BtcDecode #%d wrong error got: %v, want: %v", + i, err, reflect.TypeOf(test.err)) + continue + } + + // Deserialize from wire format. + r = bytes.NewBuffer(test.buf) + err = msg.Deserialize(r) + if reflect.TypeOf(err) != reflect.TypeOf(test.err) { + t.Errorf("Deserialize #%d wrong error got: %v, want: %v", + i, err, reflect.TypeOf(test.err)) + continue + } + + // Deserialize with transaction location info from wire format. + r = bytes.NewBuffer(test.buf) + _, err = msg.DeserializeTxLoc(r) + if reflect.TypeOf(err) != reflect.TypeOf(test.err) { + t.Errorf("DeserializeTxLoc #%d wrong error got: %v, "+ + "want: %v", i, err, reflect.TypeOf(test.err)) + continue + } + } +} + var blockOne = btcwire.MsgBlock{ Header: btcwire.BlockHeader{ Version: 1, diff --git a/msgtx_test.go b/msgtx_test.go index 9f003dc1..64535a81 100644 --- a/msgtx_test.go +++ b/msgtx_test.go @@ -491,6 +491,102 @@ func TestTxSerializeErrors(t *testing.T) { } } +// TestTxOverflowErrors performs tests to ensure deserializing transactions +// which are intentionally crafted to use large values for the variable number +// of inputs and outputs are handled properly. This could otherwise potentially +// be used as an attack vector. +func TestTxOverflowErrors(t *testing.T) { + // Use protocol version 70001 and transaction version 1 specifically + // here instead of the latest values because the test data is using + // bytes encoded with those versions. + pver := uint32(70001) + txVer := uint32(1) + + tests := []struct { + buf []byte // Wire encoding + pver uint32 // Protocol version for wire encoding + version uint32 // Transaction version + err error // Expected error + }{ + // Transaction that claims to have ~uint64(0) inputs. + { + []byte{ + 0x00, 0x00, 0x00, 0x01, // Version + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, // Varint for number of input transactions + }, pver, txVer, &btcwire.MessageError{}, + }, + + // Transaction that claims to have ~uint64(0) outputs. + { + []byte{ + 0x00, 0x00, 0x00, 0x01, // Version + 0x00, // Varint for number of input transactions + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, // Varint for number of output transactions + }, pver, txVer, &btcwire.MessageError{}, + }, + + // Transaction that has an input with a signature script that + // claims to have ~uint64(0) length. + { + []byte{ + 0x00, 0x00, 0x00, 0x01, // Version + 0x01, // Varint for number of input transactions + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Previous output hash + 0xff, 0xff, 0xff, 0xff, // Prevous output index + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, // Varint for length of signature script + }, pver, txVer, &btcwire.MessageError{}, + }, + + // Transaction that has an output with a public key script + // that claims to have ~uint64(0) length. + { + []byte{ + 0x00, 0x00, 0x00, 0x01, // Version + 0x01, // Varint for number of input transactions + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Previous output hash + 0xff, 0xff, 0xff, 0xff, // Prevous output index + 0x00, // Varint for length of signature script + 0xff, 0xff, 0xff, 0xff, // Sequence + 0x01, // Varint for number of output transactions + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Transaction amount + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, // Varint for length of public key script + }, pver, txVer, &btcwire.MessageError{}, + }, + } + + t.Logf("Running %d tests", len(tests)) + for i, test := range tests { + // Decode from wire format. + var msg btcwire.MsgTx + r := bytes.NewBuffer(test.buf) + err := msg.BtcDecode(r, test.pver) + if reflect.TypeOf(err) != reflect.TypeOf(test.err) { + t.Errorf("BtcDecode #%d wrong error got: %v, want: %v", + i, err, reflect.TypeOf(test.err)) + continue + } + + // Decode from wire format. + r = bytes.NewBuffer(test.buf) + err = msg.Deserialize(r) + if reflect.TypeOf(err) != reflect.TypeOf(test.err) { + t.Errorf("Deserialize #%d wrong error got: %v, want: %v", + i, err, reflect.TypeOf(test.err)) + continue + } + } +} + // multiTx is a MsgTx with an input and output and used in various tests. var multiTx = &btcwire.MsgTx{ Version: 1, diff --git a/test_coverage.txt b/test_coverage.txt index 2dd4557f..9f5dcf31 100644 --- a/test_coverage.txt +++ b/test_coverage.txt @@ -1,7 +1,7 @@ github.com/conformal/btcwire/message.go ReadMessage 100.00% (37/37) +github.com/conformal/btcwire/msgtx.go MsgTx.BtcDecode 100.00% (33/33) github.com/conformal/btcwire/message.go WriteMessage 100.00% (31/31) -github.com/conformal/btcwire/msgtx.go MsgTx.BtcDecode 100.00% (27/27) github.com/conformal/btcwire/msgversion.go MsgVersion.BtcDecode 100.00% (25/25) github.com/conformal/btcwire/common.go readVarInt 100.00% (24/24) github.com/conformal/btcwire/msgtx.go MsgTx.Copy 100.00% (24/24) @@ -9,62 +9,62 @@ github.com/conformal/btcwire/msgtx.go MsgTx.BtcEncode 100.00% (23/23) github.com/conformal/btcwire/msgversion.go MsgVersion.BtcEncode 100.00% (22/22) github.com/conformal/btcwire/msggetheaders.go MsgGetHeaders.BtcDecode 100.00% (20/20) github.com/conformal/btcwire/msggetblocks.go MsgGetBlocks.BtcDecode 100.00% (20/20) -github.com/conformal/btcwire/message.go makeEmptyMessage 100.00% (20/20) +github.com/conformal/btcwire/msgtx.go readTxIn 100.00% (20/20) github.com/conformal/btcwire/netaddress.go readNetAddress 100.00% (20/20) +github.com/conformal/btcwire/message.go makeEmptyMessage 100.00% (20/20) +github.com/conformal/btcwire/msgblock.go MsgBlock.DeserializeTxLoc 100.00% (19/19) github.com/conformal/btcwire/msggetheaders.go MsgGetHeaders.BtcEncode 100.00% (18/18) github.com/conformal/btcwire/msggetblocks.go MsgGetBlocks.BtcEncode 100.00% (18/18) github.com/conformal/btcwire/msgheaders.go MsgHeaders.BtcDecode 100.00% (17/17) -github.com/conformal/btcwire/msgtx.go readTxIn 100.00% (17/17) github.com/conformal/btcwire/common.go writeVarInt 100.00% (16/16) -github.com/conformal/btcwire/msgblock.go MsgBlock.DeserializeTxLoc 100.00% (16/16) -github.com/conformal/btcwire/msgheaders.go MsgHeaders.BtcEncode 100.00% (15/15) github.com/conformal/btcwire/msgaddr.go MsgAddr.BtcEncode 100.00% (15/15) -github.com/conformal/btcwire/msgtx.go writeTxIn 100.00% (15/15) github.com/conformal/btcwire/shahash.go NewShaHashFromStr 100.00% (15/15) +github.com/conformal/btcwire/msgheaders.go MsgHeaders.BtcEncode 100.00% (15/15) +github.com/conformal/btcwire/msgblock.go MsgBlock.BtcDecode 100.00% (15/15) +github.com/conformal/btcwire/msgtx.go writeTxIn 100.00% (15/15) +github.com/conformal/btcwire/msgtx.go readTxOut 100.00% (15/15) +github.com/conformal/btcwire/msgaddr.go MsgAddr.BtcDecode 100.00% (14/14) +github.com/conformal/btcwire/msginv.go MsgInv.BtcDecode 100.00% (14/14) github.com/conformal/btcwire/netaddress.go writeNetAddress 100.00% (14/14) github.com/conformal/btcwire/msggetdata.go MsgGetData.BtcDecode 100.00% (14/14) -github.com/conformal/btcwire/msginv.go MsgInv.BtcDecode 100.00% (14/14) github.com/conformal/btcwire/msgnotfound.go MsgNotFound.BtcDecode 100.00% (14/14) -github.com/conformal/btcwire/msgaddr.go MsgAddr.BtcDecode 100.00% (14/14) -github.com/conformal/btcwire/msgtx.go readTxOut 100.00% (12/12) github.com/conformal/btcwire/msginv.go MsgInv.BtcEncode 100.00% (12/12) -github.com/conformal/btcwire/protocol.go ServiceFlag.String 100.00% (12/12) -github.com/conformal/btcwire/msggetdata.go MsgGetData.BtcEncode 100.00% (12/12) github.com/conformal/btcwire/msgnotfound.go MsgNotFound.BtcEncode 100.00% (12/12) +github.com/conformal/btcwire/msggetdata.go MsgGetData.BtcEncode 100.00% (12/12) +github.com/conformal/btcwire/protocol.go ServiceFlag.String 100.00% (12/12) github.com/conformal/btcwire/msgtx.go writeTxOut 100.00% (11/11) -github.com/conformal/btcwire/msgblock.go MsgBlock.BtcDecode 100.00% (11/11) -github.com/conformal/btcwire/blockheader.go readBlockHeader 100.00% (10/10) +github.com/conformal/btcwire/common.go readVarString 100.00% (11/11) github.com/conformal/btcwire/message.go discardInput 100.00% (10/10) +github.com/conformal/btcwire/blockheader.go readBlockHeader 100.00% (10/10) github.com/conformal/btcwire/msgblock.go MsgBlock.BtcEncode 100.00% (9/9) -github.com/conformal/btcwire/blockheader.go writeBlockHeader 100.00% (8/8) -github.com/conformal/btcwire/msgalert.go MsgAlert.BtcDecode 100.00% (8/8) github.com/conformal/btcwire/msgalert.go MsgAlert.BtcEncode 100.00% (8/8) -github.com/conformal/btcwire/common.go readVarString 100.00% (8/8) -github.com/conformal/btcwire/common.go writeVarString 100.00% (7/7) -github.com/conformal/btcwire/msgpong.go MsgPong.BtcEncode 100.00% (7/7) -github.com/conformal/btcwire/msgversion.go NewMsgVersionFromConn 100.00% (7/7) +github.com/conformal/btcwire/msgalert.go MsgAlert.BtcDecode 100.00% (8/8) +github.com/conformal/btcwire/blockheader.go writeBlockHeader 100.00% (8/8) github.com/conformal/btcwire/common.go randomUint64 100.00% (7/7) +github.com/conformal/btcwire/msgpong.go MsgPong.BtcEncode 100.00% (7/7) github.com/conformal/btcwire/msgpong.go MsgPong.BtcDecode 100.00% (7/7) github.com/conformal/btcwire/message.go readMessageHeader 100.00% (7/7) -github.com/conformal/btcwire/common.go DoubleSha256 100.00% (7/7) -github.com/conformal/btcwire/msgtx.go MsgTx.TxSha 100.00% (5/5) -github.com/conformal/btcwire/netaddress.go NewNetAddress 100.00% (5/5) -github.com/conformal/btcwire/blockheader.go BlockHeader.BlockSha 100.00% (5/5) -github.com/conformal/btcwire/common.go writeElements 100.00% (5/5) -github.com/conformal/btcwire/msgaddr.go MsgAddr.AddAddress 100.00% (5/5) -github.com/conformal/btcwire/msgaddr.go MsgAddr.AddAddresses 100.00% (5/5) -github.com/conformal/btcwire/common.go readElements 100.00% (5/5) -github.com/conformal/btcwire/shahash.go ShaHash.SetBytes 100.00% (5/5) -github.com/conformal/btcwire/msgping.go MsgPing.BtcEncode 100.00% (5/5) -github.com/conformal/btcwire/msgping.go MsgPing.BtcDecode 100.00% (5/5) -github.com/conformal/btcwire/msgblock.go MsgBlock.TxShas 100.00% (5/5) +github.com/conformal/btcwire/msgversion.go NewMsgVersionFromConn 100.00% (7/7) +github.com/conformal/btcwire/common.go writeVarString 100.00% (7/7) +github.com/conformal/btcwire/common.go DoubleSha256 100.00% (6/6) github.com/conformal/btcwire/msgnotfound.go MsgNotFound.AddInvVect 100.00% (5/5) +github.com/conformal/btcwire/msgaddr.go MsgAddr.AddAddresses 100.00% (5/5) github.com/conformal/btcwire/msginv.go MsgInv.AddInvVect 100.00% (5/5) +github.com/conformal/btcwire/msgaddr.go MsgAddr.AddAddress 100.00% (5/5) github.com/conformal/btcwire/msggetblocks.go MsgGetBlocks.AddBlockLocatorHash 100.00% (5/5) github.com/conformal/btcwire/msggetheaders.go MsgGetHeaders.AddBlockLocatorHash 100.00% (5/5) +github.com/conformal/btcwire/shahash.go NewShaHash 100.00% (5/5) github.com/conformal/btcwire/msgheaders.go MsgHeaders.AddBlockHeader 100.00% (5/5) github.com/conformal/btcwire/msggetdata.go MsgGetData.AddInvVect 100.00% (5/5) -github.com/conformal/btcwire/shahash.go NewShaHash 100.00% (5/5) +github.com/conformal/btcwire/blockheader.go BlockHeader.BlockSha 100.00% (5/5) +github.com/conformal/btcwire/msgtx.go MsgTx.TxSha 100.00% (5/5) +github.com/conformal/btcwire/shahash.go ShaHash.SetBytes 100.00% (5/5) +github.com/conformal/btcwire/common.go readElements 100.00% (5/5) +github.com/conformal/btcwire/msgping.go MsgPing.BtcEncode 100.00% (5/5) +github.com/conformal/btcwire/msgping.go MsgPing.BtcDecode 100.00% (5/5) +github.com/conformal/btcwire/common.go writeElements 100.00% (5/5) +github.com/conformal/btcwire/msgblock.go MsgBlock.TxShas 100.00% (5/5) +github.com/conformal/btcwire/netaddress.go NewNetAddress 100.00% (5/5) github.com/conformal/btcwire/invvect.go readInvVect 100.00% (4/4) github.com/conformal/btcwire/invvect.go writeInvVect 100.00% (4/4) github.com/conformal/btcwire/msgmempool.go MsgMemPool.BtcDecode 100.00% (4/4) @@ -154,5 +154,5 @@ github.com/conformal/btcwire/msggetaddr.go MsgGetAddr.BtcEncode 100.00% (1/1 github.com/conformal/btcwire/msginv.go MsgInv.Command 100.00% (1/1) github.com/conformal/btcwire/msginv.go MsgInv.MaxPayloadLength 100.00% (1/1) github.com/conformal/btcwire/msginv.go NewMsgInv 100.00% (1/1) -github.com/conformal/btcwire --------------------------------- 100.00% (943/943) +github.com/conformal/btcwire --------------------------------- 100.00% (964/964)