From 8061d306ddb4a870221c31204a3b6f028bd80008 Mon Sep 17 00:00:00 2001 From: orignal Date: Mon, 25 Jan 2016 14:31:51 -0500 Subject: [PATCH] check tunnel payload size --- Tunnel.cpp | 5 +++++ TunnelEndpoint.cpp | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/Tunnel.cpp b/Tunnel.cpp index 267485c8..47b3246c 100644 --- a/Tunnel.cpp +++ b/Tunnel.cpp @@ -482,6 +482,11 @@ namespace tunnel uint16_t len = bufbe16toh(payload + TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET); // we make payload as new I2NP message to send msg->offset += I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE; + if (msg->offset + len > msg->len) + { + LogPrint (eLogError, "Tunnel: gateway payload ", (int)len, " exceeds message length ", (int)msg->len); + return; + } msg->len = msg->offset + len; auto typeID = msg->GetTypeID (); LogPrint (eLogDebug, "Tunnel: gateway of ", (int) len, " bytes for tunnel ", tunnel->GetTunnelID (), ", msg type ", (int)typeID); diff --git a/TunnelEndpoint.cpp b/TunnelEndpoint.cpp index 151a4828..0b730d35 100644 --- a/TunnelEndpoint.cpp +++ b/TunnelEndpoint.cpp @@ -90,6 +90,11 @@ namespace tunnel msg->offset = fragment - msg->buf; msg->len = msg->offset + size; + if (msg->len > msg->maxLen) + { + LogPrint (eLogError, "TunnelMessage: fragment is too long ", (int)size); + return; + } if (fragment + size < decrypted + TUNNEL_DATA_ENCRYPTED_SIZE) { // this is not last message. we have to copy it