fixed potential integer overflow / Out of bounds read in gxstunnelitems.cc

This commit is contained in:
csoler 2016-01-11 20:49:26 -05:00
parent 8e666fcec3
commit 46520b0e22

View File

@ -343,6 +343,13 @@ RsGxsTunnelDHPublicKeyItem *RsGxsTunnelSerialiser::deserialise_RsGxsTunnelDHPubl
/* get mandatory parts first */ /* get mandatory parts first */
ok &= getRawUInt32(data, rssize, &offset, &s); ok &= getRawUInt32(data, rssize, &offset, &s);
if(s > rssize || rssize - s < offset)
{
std::cerr << "RsGxsTunnelDHPublicKeyItem::() Size error while deserializing." << std::endl ;
delete item ;
return NULL ;
}
item->public_key = BN_bin2bn(&((unsigned char *)data)[offset],s,NULL) ; item->public_key = BN_bin2bn(&((unsigned char *)data)[offset],s,NULL) ;
offset += s ; offset += s ;
@ -380,11 +387,15 @@ RsGxsTunnelDataItem *RsGxsTunnelSerialiser::deserialise_RsGxsTunnelDataItem(void
ok &= getRawUInt32(dat, rssize, &offset, &item->service_id); ok &= getRawUInt32(dat, rssize, &offset, &item->service_id);
ok &= getRawUInt32(dat, rssize, &offset, &item->data_size); ok &= getRawUInt32(dat, rssize, &offset, &item->data_size);
if(offset + item->data_size <= size) if(item->data_size > rssize || rssize - item->data_size < offset)
{ {
std::cerr << "RsGxsTunnelDHPublicKeyItem::() Size error while deserializing." << std::endl ;
delete item ;
return NULL ;
}
item->data = (unsigned char*)malloc(item->data_size) ; item->data = (unsigned char*)malloc(item->data_size) ;
if(dat == NULL) if(item->data == NULL)
{ {
delete item ; delete item ;
return NULL ; return NULL ;
@ -392,9 +403,6 @@ RsGxsTunnelDataItem *RsGxsTunnelSerialiser::deserialise_RsGxsTunnelDataItem(void
memcpy(item->data,&((uint8_t*)dat)[offset],item->data_size) ; memcpy(item->data,&((uint8_t*)dat)[offset],item->data_size) ;
offset += item->data_size ; offset += item->data_size ;
}
else
ok = false ;
if (offset != rssize) if (offset != rssize)