From 75c0efba47097363df7ca74bb6f8542b31421265 Mon Sep 17 00:00:00 2001
From: Bart Polot <bart@net.in.tum.de>
Date: Tue, 17 Jun 2014 12:13:37 +0000
Subject: [PATCH] - check message size to avoid infinite loop

---
 src/cadet/gnunet-service-cadet_tunnel.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/cadet/gnunet-service-cadet_tunnel.c b/src/cadet/gnunet-service-cadet_tunnel.c
index 4597a24a7..0624b9ffd 100644
--- a/src/cadet/gnunet-service-cadet_tunnel.c
+++ b/src/cadet/gnunet-service-cadet_tunnel.c
@@ -1953,9 +1953,17 @@ GCT_handle_encrypted (struct CadetTunnel *t,
   off = 0;
   while (off < decrypted_size)
   {
+    uint16_t msize;
+
     msgh = (struct GNUNET_MessageHeader *) &cbuf[off];
+    msize = ntohs (msgh->size);
+    if (msize < sizeof (struct GNUNET_MessageHeader))
+    {
+      GNUNET_break_op (0);
+      return;
+    }
     handle_decrypted (t, msgh, GNUNET_SYSERR);
-    off += ntohs (msgh->size);
+    off += msize;
   }
 }
 
-- 
2.25.1