Skip to content

Fix: prevent signed integer overflow in OP_MSG message sizes #2693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
HyperPS wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Fix: prevent signed integer overflow in OP_MSG message sizes #2693

HyperPS wants to merge 6 commits into from
+102 −38

Conversation

@HyperPS
Copy link

@HyperPS HyperPS commented Jan 30, 2026

Changes in this PR

This change fixes multiple signed integer overflow risks when computing MongoDB wire protocol message lengths in the C extension (pymongo/_cmessagemodule.c).

Previously, several message size calculations were performed using int and written directly into int32 fields without validating bounds. In edge cases involving large buffers or payloads, this could lead to signed integer truncation, incorrect message lengths, and potential memory corruption.

This patch:

  • Introduces a shared _check_int32_size() helper to validate all computed
    message and section sizes before downcasting to int32_t
  • Converts intermediate size calculations to size_t
  • Applies consistent bounds checks across:
    • OP_QUERY
    • OP_GET_MORE
    • OP_MSG (including type 1 payloads)
    • Batched OP_MSG writes
    • Batched legacy write commands

Security Impact

This issue was reported via Huntr as a potential integer overflow leading to malformed MongoDB wire protocol messages. While exploitation requires crafted inputs, validating message sizes defensively prevents undefined behavior and improves robustness of the PyMongo C extension.

Huntr report:

@HyperPS HyperPS requested a review from a team as a code owner January 30, 2026 15:31
@HyperPS HyperPS requested a review from sleepyStick January 30, 2026 15:31
Jibola
Jibola requested changes Jan 31, 2026
View reviewed changes
Copy link
Contributor

@Jibola Jibola left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for identifying this code improvement.

Overall, Logic looks good, but please fix formatting to match _cmessagemodule.c and confirm all length writes now use _check_int32_size.

@HyperPS
Copy link
Author

HyperPS commented Feb 1, 2026

This fixes signed int32 overflow issues in OP_MSG and buffer size calculations by validating message and section lengths before casting to int32, preventing integer truncation and potential memory corruption.
Please let me know if you’d like any adjustments.

HyperPS and others added 2 commits February 1, 2026 15:14
@HyperPS @Jibola
Apply suggestion from @Jibola
3211211 
Co-authored-by: Jib <Jibzade@gmail.com>
@HyperPS @Jibola
Update pymongo/_cmessagemodule.c
f170513 
Co-authored-by: Jib <Jibzade@gmail.com>
@HyperPS HyperPS requested a review from Jibola February 1, 2026 20:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sleepyStick sleepyStick Awaiting requested review from sleepyStick sleepyStick is a code owner automatically assigned from mongodb/dbx-python

@Jibola Jibola Awaiting requested review from Jibola

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@HyperPS @Jibola