auparse - Check socket address size (#152)

cravtos · web-flow · commit e1703add4e6a · 2024-05-21T20:41:33.000-04:00
In auparse.parseSockaddr(), check socket address size
before indexing into the slice to prevent panics. Return an
error detailing the failure.

Add a Go fuzz test to exercise the parseSockaddr() function.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,8 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ### Changed
 
+- Fix panic in `parseSockaddr` for malformed socket address. [#152](https://github.com/elastic/go-libaudit/pull/152)
+
 ### Removed
 
 ### Deprecated
diff --git a/auparse/sockaddr.go b/auparse/sockaddr.go
@@ -18,10 +18,28 @@
 package auparse
 
 import (
+	"fmt"
 	"strconv"
 )
 
+// invalidSockAddrError means socket address size for family is invalid.
+type invalidSockAddrError struct {
+	family string
+	size   int
+}
+
+func (e invalidSockAddrError) Error() string {
+	if e.size < 4 {
+		return fmt.Sprintf("invalid family: too short: %d", e.size)
+	}
+	return fmt.Sprintf("invalid socket address size family=%s: %d", e.family, e.size)
+}
+
 func parseSockaddr(s string) (map[string]string, error) {
+	if len(s) < 4 {
+		return nil, invalidSockAddrError{size: len(s)}
+	}
+
 	addressFamily, err := hexToDec(s[2:4] + s[0:2]) // host-order
 	if err != nil {
 		return nil, err
@@ -38,6 +56,13 @@ func parseSockaddr(s string) (map[string]string, error) {
 		out["family"] = "unix"
 		out["path"] = socket
 	case 2: // AF_INET
+		if len(s) < 16 {
+			return nil, invalidSockAddrError{
+				family: "ipv4",
+				size:   len(s),
+			}
+		}
+
 		port, err := hexToDec(s[4:8])
 		if err != nil {
 			return nil, err
@@ -52,6 +77,13 @@ func parseSockaddr(s string) (map[string]string, error) {
 		out["addr"] = ip
 		out["port"] = strconv.Itoa(int(port))
 	case 10: // AF_INET6
+		if len(s) < 48 {
+			return nil, invalidSockAddrError{
+				family: "ipv6",
+				size:   len(s),
+			}
+		}
+
 		port, err := hexToDec(s[4:8])
 		if err != nil {
 			return nil, err
diff --git a/auparse/sockaddr_test.go b/auparse/sockaddr_test.go
@@ -56,3 +56,20 @@ func TestParseSockaddr(t *testing.T) {
 		assert.Equal(t, tc.data, data)
 	}
 }
+
+func FuzzParseSockaddr(f *testing.F) {
+	corpus := []string{
+		"02000050080808080000000000000000",
+		"0A000050000000002607F8B0400C0C06000000000000006700000000",
+		"01007075626C69632F7069636B75700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+		"0A00084300000000000000000000000000000000000000000000000000000000281E7423FD7F0000C05034088F7F000007000000000000001E2D440000000000000000000000000060D758078F7F00000300000000000000C00F020000000000000000000000000005202302000000000200000000000000FFFFFFFFFFFFFFFF",
+	}
+
+	for _, seed := range corpus {
+		f.Add(seed)
+	}
+
+	f.Fuzz(func(t *testing.T, saddr string) {
+		_, _ = parseSockaddr(saddr) // Fuzz for panics
+	})
+}
