Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2024-12-26 16:09:35 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

fixed potential integer overflow / Out of bounds read in gxstunnelitems.cc

Browse Source
This commit is contained in:
csoler 2016-01-11 20:49:26 -05:00
parent 8e666fcec3
commit 46520b0e22
1 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
libretroshare/src/gxstunnel/rsgxstunnelitems.cc
View File

@ -343,6 +343,13 @@ RsGxsTunnelDHPublicKeyItem *RsGxsTunnelSerialiser::deserialise_RsGxsTunnelDHPubl
/* get mandatory parts first */ /* get mandatory parts first */
ok &= getRawUInt32(data, rssize, &offset, &s); ok &= getRawUInt32(data, rssize, &offset, &s);
if(s > rssize || rssize - s < offset)
{
std::cerr << "RsGxsTunnelDHPublicKeyItem::() Size error while deserializing." << std::endl ;
delete item ;
return NULL ;
}
item->public_key = BN_bin2bn(&((unsigned char *)data)[offset],s,NULL) ; item->public_key = BN_bin2bn(&((unsigned char *)data)[offset],s,NULL) ;
offset += s ; offset += s ;
@ -380,21 +387,22 @@ RsGxsTunnelDataItem *RsGxsTunnelSerialiser::deserialise_RsGxsTunnelDataItem(void
ok &= getRawUInt32(dat, rssize, &offset, &item->service_id); ok &= getRawUInt32(dat, rssize, &offset, &item->service_id);
ok &= getRawUInt32(dat, rssize, &offset, &item->data_size); ok &= getRawUInt32(dat, rssize, &offset, &item->data_size);
if(offset + item->data_size <= size) if(item->data_size > rssize || rssize - item->data_size < offset)
{ {
item->data = (unsigned char*)malloc(item->data_size) ; std::cerr << "RsGxsTunnelDHPublicKeyItem::() Size error while deserializing." << std::endl ;
delete item ;
if(dat == NULL) return NULL ;
{
delete item ;
return NULL ;
}
memcpy(item->data,&((uint8_t*)dat)[offset],item->data_size) ;
offset += item->data_size ;
} }
else item->data = (unsigned char*)malloc(item->data_size) ;
ok = false ;
if(item->data == NULL)
{
delete item ;
return NULL ;
}
memcpy(item->data,&((uint8_t*)dat)[offset],item->data_size) ;
offset += item->data_size ;
if (offset != rssize) if (offset != rssize)