added checks after mallocs in several files

2025-06-17 02:49:34 -04:00 · 2016-01-11 23:49:00 -05:00 · 2016-01-11 23:49:00 -05:00 · 9c6e7dfc13
commit 9c6e7dfc13
parent 46520b0e22
15 changed files with 157 additions and 12 deletions
--- a/libretroshare/src/ft/ftcontroller.cc
+++ b/libretroshare/src/ft/ftcontroller.cc
@ -749,6 +749,13 @@ bool ftController::copyFile(const std::string& source,const std::string& dest)
 	static const int BUFF_SIZE = 10485760 ; // 10 MB buffer to speed things up.
 	void *buffer = malloc(BUFF_SIZE) ;

+    	if(buffer == NULL)
+        {
+            std::cerr << "(EE) Error while allocating memory for " << BUFF_SIZE << " bytes in " << __PRETTY_FUNCTION__ << std::endl;
+	    fclose (in);
+	    fclose (out);
+            return false ;
+        }
 	bool bRet = true;

 	while( (s = fread(buffer,1,BUFF_SIZE,in)) > 0)
--- a/libretroshare/src/ft/ftserver.cc
+++ b/libretroshare/src/ft/ftserver.cc
@ -465,6 +465,8 @@ RsTurtleGenericTunnelItem *ftServer::deserialiseItem(void *data,uint32_t size) c
 		return NULL; /* wrong type */
 	}

+    try
+    {
 	switch(getRsItemSubType(rstype))
 	{
 		case RS_TURTLE_SUBTYPE_FILE_REQUEST 			:	return new RsTurtleFileRequestItem(data,size) ;
@ -477,6 +479,11 @@ RsTurtleGenericTunnelItem *ftServer::deserialiseItem(void *data,uint32_t size) c
 		default:
 																		return NULL ;
 	}
+    }
+    catch(std::exception& e)
+    {
+        std::cerr << "(EE) deserialisation error in " << __PRETTY_FUNCTION__ << ": " << e.what() << std::endl;
+    }
 }

 void ftServer::addVirtualPeer(const TurtleFileHash& hash,const TurtleVirtualPeerId& virtual_peer_id,RsTurtleGenericTunnelItem::Direction dir) 
--- a/libretroshare/src/ft/ftturtlefiletransferitem.cc
+++ b/libretroshare/src/ft/ftturtlefiletransferitem.cc
@ -422,14 +422,24 @@ RsTurtleFileDataItem::RsTurtleFileDataItem(void *data,uint32_t pktsize)
 	uint32_t offset = 8; // skip the header 
 	uint32_t rssize = getRsItemSize(data);

-	/* add mandatory parts first */
-
 	bool ok = true ;
+    
+    	if(rssize > pktsize)
+            ok = false ;
+        
+	/* add mandatory parts first */
 	ok &= getRawUInt32(data, pktsize, &offset, &tunnel_id) ;
 	ok &= getRawUInt64(data, pktsize, &offset, &chunk_offset);
 	ok &= getRawUInt32(data, pktsize, &offset, &chunk_size);

+    	if(chunk_size > rssize || rssize - chunk_size < offset)
+	    throw std::runtime_error("RsTurtleFileDataItem::() error while deserializing.") ;
+        
 	chunk_data = (void*)malloc(chunk_size) ;
+        
+        if(chunk_data == NULL)
+	    throw std::runtime_error("RsTurtleFileDataItem::() cannot allocate memory.") ;
+            
 	memcpy(chunk_data,(void*)((unsigned char*)data+offset),chunk_size) ;

 	offset += chunk_size ;
--- a/libretroshare/src/grouter/grouteritems.cc
+++ b/libretroshare/src/grouter/grouteritems.cc
@ -349,6 +349,13 @@ RsGRouterGenericDataItem *RsGRouterGenericDataItem::duplicate() const
    // then duplicate the memory chunk

    item->data_bytes = (uint8_t*)malloc(data_size) ;
+    
+    if(item->data_bytes == NULL)
+    {
+        std::cerr << "(EE) memory allocation error for " << data_size << " bytes in " << __PRETTY_FUNCTION__ << std::endl;
+        return NULL ;
+    }
+    
    memcpy(item->data_bytes,data_bytes,data_size) ;

    return item ;
--- a/libretroshare/src/grouter/grouteritems.h
+++ b/libretroshare/src/grouter/grouteritems.h
@ -195,6 +195,12 @@ class RsGRouterTransactionChunkItem: public RsGRouterTransactionItem, public RsG
        RsGRouterTransactionChunkItem *item = new RsGRouterTransactionChunkItem ;
        *item = *this ;	// copy all fields
        item->chunk_data = (uint8_t*)malloc(chunk_size) ;	// deep copy memory chunk
+        
+        if(item->chunk_data == NULL)
+        {
+            std::cerr << "(EE) Memory allocation error in " << __PRETTY_FUNCTION__ << " for size " << chunk_size << std::endl;
+            return NULL ;
+        }
        memcpy(item->chunk_data,chunk_data,chunk_size) ;
        return item ;
    }
--- a/libretroshare/src/grouter/p3grouter.cc
+++ b/libretroshare/src/grouter/p3grouter.cc
@ -1922,6 +1922,12 @@ bool p3GRouter::sendData(const RsGxsId& destination,const GRouterServiceId& clie
    RsGRouterGenericDataItem *data_item = new RsGRouterGenericDataItem ;

    data_item->data_bytes = (uint8_t*)malloc(data_size) ;
+    
+    if(data_item->data_bytes == NULL)
+    {
+        std::cerr << "(EE) memory allocaiton error for " << data_size << " bytes in " << __PRETTY_FUNCTION__<< std::endl;
+        return false ;
+    }
    memcpy(data_item->data_bytes,data,data_size) ;

    data_item->data_size = data_size ;
--- a/libretroshare/src/gxs/gxssecurity.cc
+++ b/libretroshare/src/gxs/gxssecurity.cc
@ -445,6 +445,13 @@ bool GxsSecurity::encrypt(uint8_t *& out, uint32_t &outlen, const uint8_t *in, u

 	int max_evp_key_size = EVP_PKEY_size(public_key);
 	ek = (unsigned char*)malloc(max_evp_key_size);
+    
+    	if(ek == NULL)
+        {
+            std::cerr << "(EE) memory allocation error for " << max_evp_key_size << " bytes in " << __PRETTY_FUNCTION__ << std::endl;
+            return false ;
+        }
+        
 	const EVP_CIPHER *cipher = EVP_aes_128_cbc();
 	int cipher_block_size = EVP_CIPHER_block_size(cipher);
 	int size_net_ekl = sizeof(net_ekl);
@ -541,6 +548,12 @@ bool GxsSecurity::decrypt(uint8_t *& out, uint32_t & outlen, const uint8_t *in,
    EVP_CIPHER_CTX ctx;
    int eklen = 0, net_ekl = 0;
 	unsigned char *ek = (unsigned char*)malloc(EVP_PKEY_size(privateKey));
+    
+    if(ek == NULL)
+    {
+        std::cerr << "Memory allocation error in " << __PRETTY_FUNCTION__ << " for " << EVP_PKEY_size(privateKey) << " bytes." << std::endl;
+        return false ;
+    }
    unsigned char iv[EVP_MAX_IV_LENGTH];
    EVP_CIPHER_CTX_init(&ctx);

--- a/libretroshare/src/gxstunnel/p3gxstunnel.cc
+++ b/libretroshare/src/gxstunnel/p3gxstunnel.cc
@ -856,7 +856,7 @@ void p3GxsTunnelService::handleRecvDHPublicKey(RsGxsTunnelDHPublicKeyItem *item)
 #endif

    uint32_t pubkey_size = BN_num_bytes(item->public_key) ;
-    unsigned char *data = (unsigned char *)malloc(pubkey_size) ;
+    RsTemporaryMemory data(pubkey_size) ;
    BN_bn2bin(item->public_key, data) ;

    RsTlvSecurityKey signature_key ;
@ -901,7 +901,7 @@ void p3GxsTunnelService::handleRecvDHPublicKey(RsGxsTunnelDHPublicKeyItem *item)
 	    signature_key = item->gxs_key ;
    }

-    if(!GxsSecurity::validateSignature((char*)data,pubkey_size,signature_key,item->signature))
+    if(!GxsSecurity::validateSignature((char*)(unsigned char*)data,pubkey_size,signature_key,item->signature))
    {
        std::cerr << "(SS) Signature was verified and it doesn't check! This is a security issue!" << std::endl;
        return ;
@ -939,7 +939,7 @@ void p3GxsTunnelService::handleRecvDHPublicKey(RsGxsTunnelDHPublicKeyItem *item)
    // Looks for the DH params. If not there yet, create them.
    //
    int size = DH_size(it->second.dh) ;
-    unsigned char *key_buff = new unsigned char[size] ;
+    RsTemporaryMemory key_buff(size) ;

    if(size != DH_compute_key(key_buff,item->public_key,it->second.dh))
    {
@ -959,7 +959,6 @@ void p3GxsTunnelService::handleRecvDHPublicKey(RsGxsTunnelDHPublicKeyItem *item)

    assert(GXS_TUNNEL_AES_KEY_SIZE <= Sha1CheckSum::SIZE_IN_BYTES) ;
    memcpy(pinfo.aes_key, RsDirUtil::sha1sum(key_buff,size).toByteArray(),GXS_TUNNEL_AES_KEY_SIZE) ;
-    delete[] key_buff ;
    
    pinfo.last_contact = time(NULL) ;
    pinfo.last_keep_alive_sent = time(NULL) ;
@ -1138,6 +1137,12 @@ bool p3GxsTunnelService::locked_sendClearTunnelData(RsGxsTunnelDHPublicKeyItem *
    gitem->data_size  = rssize + 8 ;
    gitem->data_bytes = malloc(rssize+8) ;

+    if(gitem->data_bytes == NULL)
+    {
+        std::cerr <<  "(EE) could not allocate " << rssize+8 << " bytes of data in " << __PRETTY_FUNCTION__ << std::endl;
+        delete gitem ;
+        return NULL ;
+    }
    // by convention, we use a IV of 0 for unencrypted data.
    memset(gitem->data_bytes,0,8) ;

@ -1223,6 +1228,11 @@ bool p3GxsTunnelService::locked_sendEncryptedTunnelData(RsGxsTunnelItem *item)
    gitem->data_size  = encrypted_size + GXS_TUNNEL_ENCRYPTION_IV_SIZE + GXS_TUNNEL_ENCRYPTION_HMAC_SIZE ;
    gitem->data_bytes = malloc(gitem->data_size) ;

+    if(gitem->data_bytes == NULL)
+    {
+        std::cerr << "(EE) cannot allocate " << gitem->data_size << " bytes of memory in " << __PRETTY_FUNCTION__<< std::endl;
+        return false ;
+    }
    memcpy(& ((uint8_t*)gitem->data_bytes)[0]                                       ,&IV,8) ;

    unsigned int md_len = GXS_TUNNEL_ENCRYPTION_HMAC_SIZE ;
@ -1317,6 +1327,12 @@ bool p3GxsTunnelService::sendData(const RsGxsTunnelId &tunnel_id, uint32_t servi
    item->service_id = service_id;
    item->data_size = size;					// encrypted data size
    item->data = (uint8_t*)malloc(size);			// encrypted data
+    
+    if(item->data == NULL)
+    {
+        std::cerr << "(EE) Cannot allocate " << size << " bytes of memory in " << __PRETTY_FUNCTION__ << std::endl;
+        delete item ;
+    }
    item->PeerId(RsPeerId(tunnel_id)) ;
    memcpy(item->data,data,size) ;
    
--- a/libretroshare/src/pgp/pgphandler.cc
+++ b/libretroshare/src/pgp/pgphandler.cc
@ -40,6 +40,12 @@ PassphraseCallback PGPHandler::_passphrase_callback = NULL ;
 ops_keyring_t *PGPHandler::allocateOPSKeyring() 
 {
 	ops_keyring_t *kr = (ops_keyring_t*)malloc(sizeof(ops_keyring_t)) ;
+    
+    	if(kr == NULL)
+        {
+            std::cerr << "(EE) Cannot allocate memory for " << sizeof(ops_keyring_t) << " bytes in " << __PRETTY_FUNCTION__ << std::endl;
+            return NULL ;
+        }
 	kr->nkeys = 0 ;
 	kr->nkeys_allocated = 0 ;
 	kr->keys = 0 ;