From 0120859e1ea2f0591602f446d4bc054e9230c801 Mon Sep 17 00:00:00 2001 From: lurchi Date: Sun, 7 Jan 2018 22:34:39 +0100 Subject: [PATCH] more size checking; tokenize only after size check --- src/social/gnunet-service-social.c | 36 ++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/src/social/gnunet-service-social.c b/src/social/gnunet-service-social.c index 60f1b348d..31e3a3dc2 100644 --- a/src/social/gnunet-service-social.c +++ b/src/social/gnunet-service-social.c @@ -1393,8 +1393,7 @@ msg_proc_parse (const struct MsgProcRequest *mpreq, struct GNUNET_HashCode *method_hash) { ssize_t method_size = ntohs (mpreq->header.size) - sizeof (*mpreq); - uint16_t offset = GNUNET_STRINGS_buffer_tokenize ((const char *) &mpreq[1], - method_size, 1, method_prefix); + uint16_t offset; if (method_size < 0) { @@ -1402,6 +1401,11 @@ msg_proc_parse (const struct MsgProcRequest *mpreq, "MsgProcRequest has invalid size\n"); return GNUNET_SYSERR; } + + offset = GNUNET_STRINGS_buffer_tokenize ((const char *) &mpreq[1], + method_size, + 1, + method_prefix); if (0 == offset || offset != method_size || *method_prefix == NULL) { GNUNET_log (GNUNET_ERROR_TYPE_ERROR, @@ -2147,20 +2151,34 @@ handle_client_app_connect (void *cls, { struct Client *c = cls; struct GNUNET_SERVICE_Client *client = c->client; - - uint8_t app_id_size = ntohs (creq->header.size) - sizeof (*creq); + ssize_t app_id_size = ntohs (creq->header.size) - sizeof (*creq); const char *app_id = NULL; - uint16_t offset = GNUNET_STRINGS_buffer_tokenize ((const char *) &creq[1], - app_id_size, 1, &app_id); + uint16_t offset; + + if (app_id_size < 0) + { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "AppConnectRequest has invalid size\n"); + GNUNET_break (0); + GNUNET_SERVICE_client_drop (client); + return; + } + + offset = GNUNET_STRINGS_buffer_tokenize ((const char *) &creq[1], + (size_t) app_id_size, + 1, + &app_id); if (0 == offset || offset != app_id_size) { + GNUNET_log (GNUNET_ERROR_TYPE_ERROR, + "AppConnectRequest contains invalid app ID\n"); GNUNET_break (0); GNUNET_SERVICE_client_drop (client); return; } struct GNUNET_HashCode app_id_hash; - GNUNET_CRYPTO_hash (app_id, app_id_size, &app_id_hash); + GNUNET_CRYPTO_hash (app_id, (size_t) app_id_size, &app_id_hash); GNUNET_CONTAINER_multihashmap_iterate (egos, ego_entry, client); app_notify_ego_end (client); @@ -2185,8 +2203,8 @@ handle_client_app_connect (void *cls, GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "%p Application %s connected.\n", app, app_id); - c->app_id = GNUNET_malloc (app_id_size); - GNUNET_memcpy (c->app_id, app_id, app_id_size); + c->app_id = GNUNET_malloc ((size_t) app_id_size); + GNUNET_memcpy (c->app_id, app_id, (size_t) app_id_size); GNUNET_SERVICE_client_continue (client); } -- 2.25.1