- fix #3928: make sure accessed variables are below size threshold

author Bart Polot <bart@net.in.tum.de>

Wed, 19 Aug 2015 10:53:50 +0000 (10:53 +0000)

committer Bart Polot <bart@net.in.tum.de>

Wed, 19 Aug 2015 10:53:50 +0000 (10:53 +0000)
author Bart Polot <bart@net.in.tum.de>
Wed, 19 Aug 2015 10:53:50 +0000 (10:53 +0000)
committer Bart Polot <bart@net.in.tum.de>
Wed, 19 Aug 2015 10:53:50 +0000 (10:53 +0000)
diff --git a/src/cadet/gnunet-service-cadet_tunnel.c b/src/cadet/gnunet-service-cadet_tunnel.c

index 99551e958cf958a117a6d291157c14f0504da73b..c165b13c04a5c8a001b62fa3029fa2ef447bb75a 100644 (file)
--- a/src/cadet/gnunet-service-cadet_tunnel.c
+++ b/src/cadet/gnunet-service-cadet_tunnel.c
@@ -3134,7 +3134,7 @@ GCT_handle_encrypted (struct CadetTunnel *t,
       this loop may be unaligned, see util's MST for
       how to do this right. */
    off = 0;
-  while (off < decrypted_size)
+  while (off + sizeof (struct GNUNET_MessageHeader) < decrypted_size)
    {
      uint16_t msize;
  
@@ -3145,6 +3145,11 @@ GCT_handle_encrypted (struct CadetTunnel *t,
        GNUNET_break_op (0);
        return;
      }
+    if (off + msize < decrypted_size)
+    {
+      GNUNET_break_op (0);
+      return;
+    }
      handle_decrypted (t, msgh, GNUNET_SYSERR);
      off += msize;
    }
author	Bart Polot <bart@net.in.tum.de>
	Wed, 19 Aug 2015 10:53:50 +0000 (10:53 +0000)
committer	Bart Polot <bart@net.in.tum.de>
	Wed, 19 Aug 2015 10:53:50 +0000 (10:53 +0000)