From 3094b52e8f86598c76ca5f1e61e548f4689bffc7 Mon Sep 17 00:00:00 2001 From: csoler Date: Mon, 11 Jan 2016 19:08:52 -0500 Subject: [PATCH] fixed potential integer overflow / Out of bounds read in rsbaseserial.cc. Also added a few more error output. --- libretroshare/src/serialiser/rsbaseserial.cc | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/libretroshare/src/serialiser/rsbaseserial.cc b/libretroshare/src/serialiser/rsbaseserial.cc index fd19461f1..e38dcb8e0 100644 --- a/libretroshare/src/serialiser/rsbaseserial.cc +++ b/libretroshare/src/serialiser/rsbaseserial.cc @@ -40,6 +40,7 @@ bool getRawUInt8(void *data, uint32_t size, uint32_t *offset, uint8_t *out) /* first check there is space */ if (size < *offset + 1) { + std::cerr << "(EE) Cannot deserialise uint8_t: not enough size." << std::endl; return false; } void *buf = (void *) &(((uint8_t *) data)[*offset]); @@ -56,6 +57,7 @@ bool setRawUInt8(void *data, uint32_t size, uint32_t *offset, uint8_t in) /* first check there is space */ if (size < *offset + 1) { + std::cerr << "(EE) Cannot serialise uint8_t: not enough size." << std::endl; return false; } @@ -74,6 +76,7 @@ bool getRawUInt16(void *data, uint32_t size, uint32_t *offset, uint16_t *out) /* first check there is space */ if (size < *offset + 2) { + std::cerr << "(EE) Cannot deserialise uint16_t: not enough size." << std::endl; return false; } void *buf = (void *) &(((uint8_t *) data)[*offset]); @@ -92,6 +95,7 @@ bool setRawUInt16(void *data, uint32_t size, uint32_t *offset, uint16_t in) /* first check there is space */ if (size < *offset + 2) { + std::cerr << "(EE) Cannot serialise uint16_t: not enough size." << std::endl; return false; } @@ -114,6 +118,7 @@ bool getRawUInt32(void *data, uint32_t size, uint32_t *offset, uint32_t *out) /* first check there is space */ if (size < *offset + 4) { + std::cerr << "(EE) Cannot deserialise uint32_t: not enough size." << std::endl; return false; } void *buf = (void *) &(((uint8_t *) data)[*offset]); @@ -132,6 +137,7 @@ bool setRawUInt32(void *data, uint32_t size, uint32_t *offset, uint32_t in) /* first check there is space */ if (size < *offset + 4) { + std::cerr << "(EE) Cannot serialise uint32_t: not enough size." << std::endl; return false; } @@ -154,6 +160,7 @@ bool getRawUInt64(void *data, uint32_t size, uint32_t *offset, uint64_t *out) /* first check there is space */ if (size < *offset + 8) { + std::cerr << "(EE) Cannot deserialise uint64_t: not enough size." << std::endl; return false; } void *buf = (void *) &(((uint8_t *) data)[*offset]); @@ -172,6 +179,7 @@ bool setRawUInt64(void *data, uint32_t size, uint32_t *offset, uint64_t in) /* first check there is space */ if (size < *offset + 8) { + std::cerr << "(EE) Cannot serialise uint64_t: not enough size." << std::endl; return false; } @@ -231,12 +239,13 @@ bool getRawString(void *data, uint32_t size, uint32_t *offset, std::string &outS } /* check there is space for string */ - if (size < *offset + len) + if(len > size || size-len < *offset) // better than if(size < *offset + len) because it avoids integer overflow { std::cerr << "getRawString() not enough size" << std::endl; return false; } uint8_t *buf = &(((uint8_t *) data)[*offset]); + for (uint32_t i = 0; i < len; i++) { outStr += buf[i]; @@ -250,11 +259,10 @@ bool setRawString(void *data, uint32_t size, uint32_t *offset, const std::string { uint32_t len = inStr.length(); /* first check there is space */ - if (size < *offset + 4 + len) + + if(size < 4 || len > size-4 || size-len-4 < *offset) // better than if(size < *offset + len + 4) because it avoids integer overflow { -//#ifdef RSSERIAL_DEBUG std::cerr << "setRawString() Not enough size" << std::endl; -//#endif return false; }