From 76a029cc8d1dbf3d470079e98be1f3b7c4783ef0 Mon Sep 17 00:00:00 2001
From: Gabor X Toth <*@tg-x.net>
Date: Thu, 22 Sep 2016 11:35:38 +0000
Subject: [PATCH] psyc,psycstore,social fixes

---
 src/psyc/psyc_api.c           | 11 +++++++++--
 src/psycstore/psycstore_api.c |  7 +++++--
 src/social/social_api.c       | 17 +++++++++++++----
 3 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/src/psyc/psyc_api.c b/src/psyc/psyc_api.c
index 9c5832293..9769bb853 100644
--- a/src/psyc/psyc_api.c
+++ b/src/psyc/psyc_api.c
@@ -386,6 +386,11 @@ handle_channel_state_result (void *cls,
   }
 
   const struct GNUNET_MessageHeader *mod = GNUNET_MQ_extract_nested_mh (res);
+  if (NULL == mod)
+  {
+    GNUNET_break_op (0);
+    return;
+  }
   uint16_t mod_size = ntohs (mod->size);
 
   switch (ntohs (mod->type))
@@ -397,9 +402,11 @@ handle_channel_state_result (void *cls,
 
     const char *name = (const char *) &pmod[1];
     uint16_t name_size = ntohs (pmod->name_size);
-    if ('\0' != name[name_size - 1])
+    if (0 == name_size
+        || mod_size - sizeof (*pmod) < name_size
+        || '\0' != name[name_size - 1])
     {
-      GNUNET_break (0);
+      GNUNET_break_op (0);
       return;
     }
     sr->var_cb (sr->cls, mod, name, name + name_size,
diff --git a/src/psycstore/psycstore_api.c b/src/psycstore/psycstore_api.c
index 7bbf2e3d8..480d594fc 100644
--- a/src/psycstore/psycstore_api.c
+++ b/src/psycstore/psycstore_api.c
@@ -122,7 +122,7 @@ check_result_code (void *cls, const struct OperationResult *opres)
 {
   uint16_t size = ntohs (opres->header.size);
   const char *str = (const char *) &opres[1];
-  if ( (sizeof (struct OperationResult) < size) &&
+  if ( (sizeof (*opres) < size) &&
        ('\0' != str[size - sizeof (*opres) - 1]) )
   {
     GNUNET_break (0);
@@ -244,9 +244,12 @@ static int
 check_result_state (void *cls, const struct StateResult *sres)
 {
   const char *name = (const char *) &sres[1];
+  uint16_t size = ntohs (sres->header.size);
   uint16_t name_size = ntohs (sres->name_size);
 
-  if (name_size <= 2 || '\0' != name[name_size - 1])
+  if (name_size <= 2
+      || size - sizeof (*sres) < name_size
+      || '\0' != name[name_size - 1])
   {
     LOG (GNUNET_ERROR_TYPE_ERROR,
          "check_result_state: Received state result message with invalid name.\n");
diff --git a/src/social/social_api.c b/src/social/social_api.c
index e34774aae..f05e437ca 100644
--- a/src/social/social_api.c
+++ b/src/social/social_api.c
@@ -657,10 +657,17 @@ check_place_state_result (void *cls,
                           const struct GNUNET_OperationResultMessage *res)
 {
   const struct GNUNET_MessageHeader *mod = GNUNET_MQ_extract_nested_mh (res);
-  uint16_t mod_size = ntohs (mod->size);
-  uint16_t size = ntohs (res->header.size);
+  if (NULL == mod)
+  {
+    GNUNET_break_op (0);
+    LOG (GNUNET_ERROR_TYPE_WARNING,
+         "Invalid modifier in state result\n");
+    return GNUNET_SYSERR;
+  }
 
-  if (NULL == mod || size - sizeof (*res) != mod_size)
+  uint16_t size = ntohs (res->header.size);
+  uint16_t mod_size = ntohs (mod->size);
+  if (size - sizeof (*res) != mod_size)
   {
     GNUNET_break_op (0);
     LOG (GNUNET_ERROR_TYPE_WARNING,
@@ -700,7 +707,9 @@ handle_place_state_result (void *cls,
 
     const char *name = (const char *) &pmod[1];
     uint16_t name_size = ntohs (pmod->name_size);
-    if ('\0' != name[name_size - 1])
+    if (0 == name_size
+        || mod_size - sizeof (*pmod) < name_size
+        || '\0' != name[name_size - 1])
     {
       GNUNET_break_op (0);
       LOG (GNUNET_ERROR_TYPE_WARNING,
-- 
2.25.1