[packetbeat] MongoDB parser fix bounds checks#47925
Merged
stanek-michal merged 6 commits intomainfrom Dec 15, 2025
Merged
Conversation
botelastic
bot
added
the
needs_team
Contributor
🤖 GitHub commentsJust comment with:
|
Contributor
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
stanek-michal
added
bug
Team:Security-Linux Platform
botelastic
bot
removed
the
needs_team
Contributor
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
stanek-michal
added
backport-8.19
Issues addressed: - Negative message length causing panic in truncate() - Negative BSON document length causing slice bounds panic - Negative or excessive numberReturned in OP_REPLY causing allocation panic - Negative document sequence size in OP_MSG causing integer overflow - Error handling gap in OP_QUERY where first readDocument error was lost
Add tests verifying that malformed packets are properly rejected. Test coverage added: - Negative message length (0x80000000) - Message length smaller than header (< 16 bytes) - Negative BSON document length (-1) - Zero BSON document length - Negative numberReturned in OP_REPLY - Excessively large numberReturned (0x3FFFFFFF) - Negative OP_MSG document sequence size - OP_MSG sequence size exceeding buffer - Valid OP_REPLY parsing (regression test) All tests use deferred recover() to catch any panics that would indicate the fixes are not working properly. --- How to Test cd packetbeat/protos/mongodb && go test -v ./... cd packetbeat/protos/mongodb && go test -race -v ./... cd packetbeat/protos/mongodb && go test -v -run TestMongodbParser_negativeMessageLength
stanek-michal
force-pushed
the
mongodb-parser-fixes
branch
from
5fc03b6 to
c48cda7
Compare
nicholasberlin
approved these changes
Dec 4, 2025
Contributor
nicholasberlin
left a comment
nicholasberlin
left a comment
There was a problem hiding this comment.
Assuming my comments about int( are bogus, LGTM
nfritts
requested changes
Dec 8, 2025
Contributor
nfritts
left a comment
nfritts
left a comment
There was a problem hiding this comment.
Any logging that can be triggered by "Every" packet should be Debug at the highest.
Contributor
Author
good point, fixed. |
nfritts
approved these changes
Dec 9, 2025
mergify bot
pushed a commit
that referenced
this pull request
Dec 15, 2025
* [Packetbeat] Fix bounds checking in MongoDB protocol parser Issues addressed: - Negative message length causing panic in truncate() - Negative BSON document length causing slice bounds panic - Negative or excessive numberReturned in OP_REPLY causing allocation panic - Negative document sequence size in OP_MSG causing integer overflow - Error handling gap in OP_QUERY where first readDocument error was lost * [Packetbeat] Add more MongoDB protocol parser tests Add tests verifying that malformed packets are properly rejected. Test coverage added: - Negative message length (0x80000000) - Message length smaller than header (< 16 bytes) - Negative BSON document length (-1) - Zero BSON document length - Negative numberReturned in OP_REPLY - Excessively large numberReturned (0x3FFFFFFF) - Negative OP_MSG document sequence size - OP_MSG sequence size exceeding buffer - Valid OP_REPLY parsing (regression test) All tests use deferred recover() to catch any panics that would indicate the fixes are not working properly. --- How to Test cd packetbeat/protos/mongodb && go test -v ./... cd packetbeat/protos/mongodb && go test -race -v ./... cd packetbeat/protos/mongodb && go test -v -run TestMongodbParser_negativeMessageLength * update changelog with packetbeat mongodb changes * Switch logging to debug on invalid packets * formatting * nolint for binary parsing (cherry picked from commit 306d2f4)
mergify bot
pushed a commit
that referenced
this pull request
Dec 15, 2025
* [Packetbeat] Fix bounds checking in MongoDB protocol parser Issues addressed: - Negative message length causing panic in truncate() - Negative BSON document length causing slice bounds panic - Negative or excessive numberReturned in OP_REPLY causing allocation panic - Negative document sequence size in OP_MSG causing integer overflow - Error handling gap in OP_QUERY where first readDocument error was lost * [Packetbeat] Add more MongoDB protocol parser tests Add tests verifying that malformed packets are properly rejected. Test coverage added: - Negative message length (0x80000000) - Message length smaller than header (< 16 bytes) - Negative BSON document length (-1) - Zero BSON document length - Negative numberReturned in OP_REPLY - Excessively large numberReturned (0x3FFFFFFF) - Negative OP_MSG document sequence size - OP_MSG sequence size exceeding buffer - Valid OP_REPLY parsing (regression test) All tests use deferred recover() to catch any panics that would indicate the fixes are not working properly. --- How to Test cd packetbeat/protos/mongodb && go test -v ./... cd packetbeat/protos/mongodb && go test -race -v ./... cd packetbeat/protos/mongodb && go test -v -run TestMongodbParser_negativeMessageLength * update changelog with packetbeat mongodb changes * Switch logging to debug on invalid packets * formatting * nolint for binary parsing (cherry picked from commit 306d2f4)
mergify bot
pushed a commit
that referenced
this pull request
Dec 15, 2025
* [Packetbeat] Fix bounds checking in MongoDB protocol parser Issues addressed: - Negative message length causing panic in truncate() - Negative BSON document length causing slice bounds panic - Negative or excessive numberReturned in OP_REPLY causing allocation panic - Negative document sequence size in OP_MSG causing integer overflow - Error handling gap in OP_QUERY where first readDocument error was lost * [Packetbeat] Add more MongoDB protocol parser tests Add tests verifying that malformed packets are properly rejected. Test coverage added: - Negative message length (0x80000000) - Message length smaller than header (< 16 bytes) - Negative BSON document length (-1) - Zero BSON document length - Negative numberReturned in OP_REPLY - Excessively large numberReturned (0x3FFFFFFF) - Negative OP_MSG document sequence size - OP_MSG sequence size exceeding buffer - Valid OP_REPLY parsing (regression test) All tests use deferred recover() to catch any panics that would indicate the fixes are not working properly. --- How to Test cd packetbeat/protos/mongodb && go test -v ./... cd packetbeat/protos/mongodb && go test -race -v ./... cd packetbeat/protos/mongodb && go test -v -run TestMongodbParser_negativeMessageLength * update changelog with packetbeat mongodb changes * Switch logging to debug on invalid packets * formatting * nolint for binary parsing (cherry picked from commit 306d2f4)
This was referenced Dec 15, 2025
5 tasks
pierrehilbert
pushed a commit
that referenced
this pull request
Dec 22, 2025
* [Packetbeat] Fix bounds checking in MongoDB protocol parser Issues addressed: - Negative message length causing panic in truncate() - Negative BSON document length causing slice bounds panic - Negative or excessive numberReturned in OP_REPLY causing allocation panic - Negative document sequence size in OP_MSG causing integer overflow - Error handling gap in OP_QUERY where first readDocument error was lost * [Packetbeat] Add more MongoDB protocol parser tests Add tests verifying that malformed packets are properly rejected. Test coverage added: - Negative message length (0x80000000) - Message length smaller than header (< 16 bytes) - Negative BSON document length (-1) - Zero BSON document length - Negative numberReturned in OP_REPLY - Excessively large numberReturned (0x3FFFFFFF) - Negative OP_MSG document sequence size - OP_MSG sequence size exceeding buffer - Valid OP_REPLY parsing (regression test) All tests use deferred recover() to catch any panics that would indicate the fixes are not working properly. --- How to Test cd packetbeat/protos/mongodb && go test -v ./... cd packetbeat/protos/mongodb && go test -race -v ./... cd packetbeat/protos/mongodb && go test -v -run TestMongodbParser_negativeMessageLength * update changelog with packetbeat mongodb changes * Switch logging to debug on invalid packets * formatting * nolint for binary parsing (cherry picked from commit 306d2f4) Co-authored-by: Michal Stanek <75310947+stanek-michal@users.noreply.github.com>
pierrehilbert
pushed a commit
that referenced
this pull request
Dec 22, 2025
* [Packetbeat] Fix bounds checking in MongoDB protocol parser Issues addressed: - Negative message length causing panic in truncate() - Negative BSON document length causing slice bounds panic - Negative or excessive numberReturned in OP_REPLY causing allocation panic - Negative document sequence size in OP_MSG causing integer overflow - Error handling gap in OP_QUERY where first readDocument error was lost * [Packetbeat] Add more MongoDB protocol parser tests Add tests verifying that malformed packets are properly rejected. Test coverage added: - Negative message length (0x80000000) - Message length smaller than header (< 16 bytes) - Negative BSON document length (-1) - Zero BSON document length - Negative numberReturned in OP_REPLY - Excessively large numberReturned (0x3FFFFFFF) - Negative OP_MSG document sequence size - OP_MSG sequence size exceeding buffer - Valid OP_REPLY parsing (regression test) All tests use deferred recover() to catch any panics that would indicate the fixes are not working properly. --- How to Test cd packetbeat/protos/mongodb && go test -v ./... cd packetbeat/protos/mongodb && go test -race -v ./... cd packetbeat/protos/mongodb && go test -v -run TestMongodbParser_negativeMessageLength * update changelog with packetbeat mongodb changes * Switch logging to debug on invalid packets * formatting * nolint for binary parsing (cherry picked from commit 306d2f4) Co-authored-by: Michal Stanek <75310947+stanek-michal@users.noreply.github.com>
pierrehilbert
pushed a commit
that referenced
this pull request
Dec 22, 2025
* [Packetbeat] Fix bounds checking in MongoDB protocol parser Issues addressed: - Negative message length causing panic in truncate() - Negative BSON document length causing slice bounds panic - Negative or excessive numberReturned in OP_REPLY causing allocation panic - Negative document sequence size in OP_MSG causing integer overflow - Error handling gap in OP_QUERY where first readDocument error was lost * [Packetbeat] Add more MongoDB protocol parser tests Add tests verifying that malformed packets are properly rejected. Test coverage added: - Negative message length (0x80000000) - Message length smaller than header (< 16 bytes) - Negative BSON document length (-1) - Zero BSON document length - Negative numberReturned in OP_REPLY - Excessively large numberReturned (0x3FFFFFFF) - Negative OP_MSG document sequence size - OP_MSG sequence size exceeding buffer - Valid OP_REPLY parsing (regression test) All tests use deferred recover() to catch any panics that would indicate the fixes are not working properly. --- How to Test cd packetbeat/protos/mongodb && go test -v ./... cd packetbeat/protos/mongodb && go test -race -v ./... cd packetbeat/protos/mongodb && go test -v -run TestMongodbParser_negativeMessageLength * update changelog with packetbeat mongodb changes * Switch logging to debug on invalid packets * formatting * nolint for binary parsing (cherry picked from commit 306d2f4) Co-authored-by: Michal Stanek <75310947+stanek-michal@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
packetbeat: fix bounds checking in mongodb protocol parser
Checklist
stresstest.shscript to run them under stress conditions and race detector to verify their stability../changelog/fragmentsusing the changelog tool.How to test this PR locally
cd packetbeat/protos/mongodb && go test -v ./...