Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2025-01-28 16:27:01 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

fixed potential integer overflow / Out of bounds read in GRouterItems.cc

Browse Source
This commit is contained in:
csoler 2016-01-11 19:26:54 -05:00
parent 3094b52e8f
commit 98f0c101b9
1 changed files with 30 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
libretroshare/src/grouter/grouteritems.cc
View File

@ -66,6 +66,12 @@ RsGRouterTransactionChunkItem *RsGRouterSerialiser::deserialise_RsGRouterTransac
uint32_t rssize = getRsItemSize(data); uint32_t rssize = getRsItemSize(data);
bool ok = true ; bool ok = true ;
if(tlvsize < rssize)
{
std::cerr << __PRETTY_FUNCTION__ << ": wrong encoding of item size. Serialisation error!" << std::endl;
return NULL ;
}
RsGRouterTransactionChunkItem *item = new RsGRouterTransactionChunkItem() ; RsGRouterTransactionChunkItem *item = new RsGRouterTransactionChunkItem() ;
/* add mandatory parts first */ /* add mandatory parts first */
@ -74,15 +80,15 @@ RsGRouterTransactionChunkItem *RsGRouterSerialiser::deserialise_RsGRouterTransac
ok &= getRawUInt32(data, tlvsize, &offset, &item->chunk_size); ok &= getRawUInt32(data, tlvsize, &offset, &item->chunk_size);
ok &= getRawUInt32(data, tlvsize, &offset, &item->total_size); ok &= getRawUInt32(data, tlvsize, &offset, &item->total_size);
if( NULL == (item->chunk_data = (uint8_t*)malloc(item->chunk_size))) if(item->chunk_size > rssize || offset > rssize - item->chunk_size) // better than if(item->chunk_size + offset > rssize)
{ {
std::cerr << __PRETTY_FUNCTION__ << ": Cannot allocate memory for chunk " << item->chunk_size << std::endl; std::cerr << __PRETTY_FUNCTION__ << ": Cannot read beyond item size. Serialisation error!" << std::endl;
delete item; delete item;
return NULL ; return NULL ;
} }
if(item->chunk_size + offset > rssize) if( NULL == (item->chunk_data = (uint8_t*)malloc(item->chunk_size)))
{ {
std::cerr << __PRETTY_FUNCTION__ << ": Cannot read beyond item size. Serialisation error!" << std::endl; std::cerr << __PRETTY_FUNCTION__ << ": Cannot allocate memory for chunk " << item->chunk_size << std::endl;
delete item; delete item;
return NULL ; return NULL ;
} }
@ -125,36 +131,41 @@ RsGRouterGenericDataItem *RsGRouterSerialiser::deserialise_RsGRouterGenericDataI
uint32_t rssize = getRsItemSize(data); uint32_t rssize = getRsItemSize(data);
bool ok = true ; bool ok = true ;
if(pktsize < rssize)
{
std::cerr << __PRETTY_FUNCTION__ << ": wrong encoding of item size. Serialisation error!" << std::endl;
return NULL ;
}
RsGRouterGenericDataItem *item = new RsGRouterGenericDataItem() ; RsGRouterGenericDataItem *item = new RsGRouterGenericDataItem() ;
ok &= getRawUInt64(data, pktsize, &offset, &item->routing_id); ok &= getRawUInt64(data, pktsize, &offset, &item->routing_id);
ok &= item->destination_key.deserialise(data, pktsize, offset) ; ok &= item->destination_key.deserialise(data, pktsize, offset) ;
ok &= getRawUInt32(data, pktsize, &offset, &item->service_id); ok &= getRawUInt32(data, pktsize, &offset, &item->service_id);
ok &= getRawUInt32(data, pktsize, &offset, &item->data_size); ok &= getRawUInt32(data, pktsize, &offset, &item->data_size);
if( NULL == (item->data_bytes = (uint8_t*)malloc(item->data_size))) if(item->data_size > rssize || offset > rssize - item->data_size) // better than if(item->data_size + offset > rssize)
{
std::cerr << __PRETTY_FUNCTION__ << ": Cannot read beyond item size. Serialisation error!" << std::endl;
delete item;
return NULL ;
}
if( NULL == (item->data_bytes = (uint8_t*)malloc(item->data_size)))
{ {
std::cerr << __PRETTY_FUNCTION__ << ": Cannot allocate memory for chunk " << item->data_size << std::endl; std::cerr << __PRETTY_FUNCTION__ << ": Cannot allocate memory for chunk " << item->data_size << std::endl;
delete item; delete item;
return NULL ; return NULL ;
} }
if(item->data_size + offset > rssize) memcpy(item->data_bytes,&((uint8_t*)data)[offset],item->data_size) ;
{
std::cerr << __PRETTY_FUNCTION__ << ": Cannot read beyond item size. Serialisation error!" << std::endl;
delete item;
return NULL ;
}
memcpy(item->data_bytes,&((uint8_t*)data)[offset],item->data_size) ;
offset += item->data_size ; offset += item->data_size ;
ok &= item->signature.GetTlv(data, pktsize, &offset) ; ok &= item->signature.GetTlv(data, pktsize, &offset) ;
ok &= getRawUInt32(data, pktsize, &offset, &item->randomized_distance); ok &= getRawUInt32(data, pktsize, &offset, &item->randomized_distance);
ok &= getRawUInt32(data, pktsize, &offset, &item->flags); ok &= getRawUInt32(data, pktsize, &offset, &item->flags);
if (offset != rssize || !ok) if (offset != rssize || !ok)
{ {
std::cerr << __PRETTY_FUNCTION__ << ": error while deserialising! Item will be dropped." << std::endl; std::cerr << __PRETTY_FUNCTION__ << ": error while deserialising! Item will be dropped." << std::endl;
delete item; delete item;