Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

api: limit regexes to 1024 chars. #4198

Merged
merged 3 commits into from
Aug 20, 2018
Merged

Conversation

htuch
Copy link
Member

@htuch htuch commented Aug 19, 2018

This avoids stack overflow in libc++ regex parsing libraries. There doesn't seem to be a good reason
to support arbitrary long regexes in Envoy in general.

Discovered by oss-fuzz, resolves ClusterFuzz issues
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8060 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8950.

Risk level: Low
Testing: Added corpus entry.

Signed-off-by: Harvey Tuch htuch@google.com

This avoids stack overflow in libc++ regex parsing libraries. There doesn't seem to be a good reason
to support arbitrary long regexes in Envoy in general.

Discovered by oss-fuzz, resolves ClusterFuzz issues
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8060 and
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8950.

Risk level: Low
Testing: Added corpus entry.

Signed-off-by: Harvey Tuch <htuch@google.com>
@danielhochman danielhochman self-assigned this Aug 20, 2018
danielhochman
danielhochman previously approved these changes Aug 20, 2018
@danielhochman
Copy link
Contributor

lgtm. should we add a note somewhere in the docs so that a blame on this PR is not the only point of reference for the constraint?

@htuch htuch merged commit 0337872 into envoyproxy:master Aug 20, 2018
@htuch htuch deleted the bound-regex branch August 20, 2018 22:24
htuch added a commit to htuch/envoy that referenced this pull request Aug 21, 2018
I missed this one in envoyproxy#4198, this fixes oss-fuzz issue
https://oss-fuzz.com/v2/testcase-detail/5085445791678464.

Signed-off-by: Harvey Tuch <htuch@google.com>
htuch added a commit that referenced this pull request Aug 21, 2018
I missed this one in #4198, this fixes oss-fuzz issue
https://oss-fuzz.com/v2/testcase-detail/5085445791678464.

Signed-off-by: Harvey Tuch <htuch@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants