Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2025-11-17 22:40:06 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

fixed potential integer overflow / Out of bounds read in GRouterItems.cc

Browse source
This commit is contained in:
csoler 2016-01-11 19:26:54 -05:00
parent 3094b52e8f
commit 98f0c101b9
1 changed files with 30 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

27
libretroshare/src/grouter/grouteritems.cc
View file

@ -66,6 +66,12 @@ RsGRouterTransactionChunkItem *RsGRouterSerialiser::deserialise_RsGRouterTransac
uint32_t rssize = getRsItemSize(data);
bool ok = true ;
if(tlvsize < rssize)
{
std::cerr << __PRETTY_FUNCTION__ << ": wrong encoding of item size. Serialisation error!" << std::endl;
return NULL ;
}
RsGRouterTransactionChunkItem *item = new RsGRouterTransactionChunkItem() ;
/* add mandatory parts first */
@ -74,15 +80,15 @@ RsGRouterTransactionChunkItem *RsGRouterSerialiser::deserialise_RsGRouterTransac
ok &= getRawUInt32(data, tlvsize, &offset, &item->chunk_size);
ok &= getRawUInt32(data, tlvsize, &offset, &item->total_size);
if( NULL == (item->chunk_data = (uint8_t*)malloc(item->chunk_size)))
if(item->chunk_size > rssize || offset > rssize - item->chunk_size) // better than if(item->chunk_size + offset > rssize)
{
std::cerr << __PRETTY_FUNCTION__ << ": Cannot allocate memory for chunk " << item->chunk_size << std::endl;
std::cerr << __PRETTY_FUNCTION__ << ": Cannot read beyond item size. Serialisation error!" << std::endl;
delete item;
return NULL ;
}
if(item->chunk_size + offset > rssize)
if( NULL == (item->chunk_data = (uint8_t*)malloc(item->chunk_size)))
{
std::cerr << __PRETTY_FUNCTION__ << ": Cannot read beyond item size. Serialisation error!" << std::endl;
std::cerr << __PRETTY_FUNCTION__ << ": Cannot allocate memory for chunk " << item->chunk_size << std::endl;
delete item;
return NULL ;
}
@ -125,6 +131,11 @@ RsGRouterGenericDataItem *RsGRouterSerialiser::deserialise_RsGRouterGenericDataI
uint32_t rssize = getRsItemSize(data);
bool ok = true ;
if(pktsize < rssize)
{
std::cerr << __PRETTY_FUNCTION__ << ": wrong encoding of item size. Serialisation error!" << std::endl;
return NULL ;
}
RsGRouterGenericDataItem *item = new RsGRouterGenericDataItem() ;
ok &= getRawUInt64(data, pktsize, &offset, &item->routing_id);
@ -132,16 +143,16 @@ RsGRouterGenericDataItem *RsGRouterSerialiser::deserialise_RsGRouterGenericDataI
ok &= getRawUInt32(data, pktsize, &offset, &item->service_id);
ok &= getRawUInt32(data, pktsize, &offset, &item->data_size);
if( NULL == (item->data_bytes = (uint8_t*)malloc(item->data_size)))
if(item->data_size > rssize || offset > rssize - item->data_size) // better than if(item->data_size + offset > rssize)
{
std::cerr << __PRETTY_FUNCTION__ << ": Cannot allocate memory for chunk " << item->data_size << std::endl;
std::cerr << __PRETTY_FUNCTION__ << ": Cannot read beyond item size. Serialisation error!" << std::endl;
delete item;
return NULL ;
}
if(item->data_size + offset > rssize)
if( NULL == (item->data_bytes = (uint8_t*)malloc(item->data_size)))
{
std::cerr << __PRETTY_FUNCTION__ << ": Cannot read beyond item size. Serialisation error!" << std::endl;
std::cerr << __PRETTY_FUNCTION__ << ": Cannot allocate memory for chunk " << item->data_size << std::endl;
delete item;
return NULL ;
}