From d3cf45e7d045b133e91dd98a8a695fd04d6f2d80 Mon Sep 17 00:00:00 2001
From: aopat <aopat@users.noreply.github.com>
Date: Fri, 3 Apr 2020 10:37:54 +1100
Subject: [PATCH] Safely reject invalid-length span and trace ids (#1206)

---
 plugin/ochttp/propagation/b3/b3.go      |  4 ++--
 plugin/ochttp/propagation/b3/b3_test.go | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/plugin/ochttp/propagation/b3/b3.go b/plugin/ochttp/propagation/b3/b3.go
index 2f1c7f006..9ad885219 100644
--- a/plugin/ochttp/propagation/b3/b3.go
+++ b/plugin/ochttp/propagation/b3/b3.go
@@ -68,7 +68,7 @@ func ParseTraceID(tid string) (trace.TraceID, bool) {
 		return trace.TraceID{}, false
 	}
 	b, err := hex.DecodeString(tid)
-	if err != nil {
+	if err != nil || len(b) > 16 {
 		return trace.TraceID{}, false
 	}
 	var traceID trace.TraceID
@@ -90,7 +90,7 @@ func ParseSpanID(sid string) (spanID trace.SpanID, ok bool) {
 		return trace.SpanID{}, false
 	}
 	b, err := hex.DecodeString(sid)
-	if err != nil {
+	if err != nil || len(b) > 8 {
 		return trace.SpanID{}, false
 	}
 	start := 8 - len(b)
diff --git a/plugin/ochttp/propagation/b3/b3_test.go b/plugin/ochttp/propagation/b3/b3_test.go
index 4f7b5db86..af3d4dbf0 100644
--- a/plugin/ochttp/propagation/b3/b3_test.go
+++ b/plugin/ochttp/propagation/b3/b3_test.go
@@ -103,6 +103,17 @@ func TestHTTPFormat_FromRequest(t *testing.T) {
 			wantSc: trace.SpanContext{},
 			wantOk: false,
 		},
+		{
+			name: "invalid >128-bit trace ID + 64-bit span ID; no sampling header",
+			makeReq: func() *http.Request {
+				req, _ := http.NewRequest("GET", "http://example.com", nil)
+				req.Header.Set(TraceIDHeader, "0020000000000001002000000000000111")
+				req.Header.Set(SpanIDHeader, "0020000000000001")
+				return req
+			},
+			wantSc: trace.SpanContext{},
+			wantOk: false,
+		},
 		{
 			name: "128-bit trace ID; invalid span ID; no sampling header",
 			makeReq: func() *http.Request {
@@ -114,6 +125,17 @@ func TestHTTPFormat_FromRequest(t *testing.T) {
 			wantSc: trace.SpanContext{},
 			wantOk: false,
 		},
+		{
+			name: "128-bit trace ID; invalid >64 bit span ID; no sampling header",
+			makeReq: func() *http.Request {
+				req, _ := http.NewRequest("GET", "http://example.com", nil)
+				req.Header.Set(TraceIDHeader, "463ac35c9f6413ad48485a3953bb6124")
+				req.Header.Set(SpanIDHeader, "002000000000000111")
+				return req
+			},
+			wantSc: trace.SpanContext{},
+			wantOk: false,
+		},
 		{
 			name: "128-bit trace ID + 64-bit span ID; sampled=true",
 			makeReq: func() *http.Request {